[PATCH v2 0/6] Intel MAX10 BMC Security Engine Driver

[PATCH v2 0/6] Intel MAX10 BMC Security Engine Driver

[Russ Weight]

These patches were previously submitted as part of a larger V1
patch set under the title "FPGA Security Manager Class Driver".

The Intel MAX10 BMC Security Engine driver instantiates the Intel
Security Manager class driver and provides the callback functions
required to support secure updates on Intel n3000 PAC devices.
This driver is implemented as a sub-driver of the Intel MAX10 BMC
mfd driver. Future instances of the MAX10 BMC will support other
devices as well (e.g. d5005) and this same MAX10 BMC Security
Engine driver will receive modifications to support that device.

This driver interacts with the HW secure update engine of the
BMC in order to transfer new FPGA and BMC images to FLASH so
that they will be automatically loaded when the FPGA card reboots.
Security is enforced by hardware and firmware. The MAX10 BMC
Security Engine driver interacts with the firmware to initiate
an update, pass in the necessary data, and collect status on
the update.

This driver passes operation call-back functions to the Intel
FPGA Security Manager Class Driver to support the following
functions:

(1) Instantiate and monitor a secure update
(2) Display security information including: Root Entry Hashes (REH),
    Cancelled Code Signing Keys (CSK), and flash update counts for
    both BMC and FPGA images.

These patches are dependent on other patches that are under
review. If you want to apply these patches on linux-next,
please apply these patches first, in the following order:

(1 patch)   https://marc.info/?l=linux-fpga&m=159782339732362&w=2
(4 patches) https://marc.info/?l=linux-fpga&m=160014074806950&w=2
(7 patches) https://marc.info/?l=linux-fpga&m=160167824311379&w=2

Changelog v1 -> v2:
  - These patches were previously submitted as part of a larger V1
    patch set under the title "Intel FPGA Security Manager Class Driver".
  - Grouped all changes to include/linux/mfd/intel-m10-bmc.h into a
    single patch: "mfd: intel-m10-bmc: support for MAX10 BMC Security
    Engine".
  - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
  - Adapted to changes in the Intel FPGA Security Manager by splitting
    the single call to ifpga_sec_mgr_register() into two function
    calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
  - Replaced small function-creation macros for explicit function
    declarations.
  - Bug fix for the get_csk_vector() function to properly apply the
    stride variable in calls to m10bmc_raw_bulk_read().
  - Added m10bmc_ prefix to functions in m10bmc_iops structure
  - Implemented HW_ERRINFO_POISON for m10bmc_sec_hw_errinfo() to
    ensure that corresponding bits are set to 1 if we are unable
    to read the doorbell or auth_result registers.
  - Added comments and additional code cleanup per V1 review.

Russ Weight (6):
  mfd: intel-m10-bmc: support for MAX10 BMC Security Engine
  fpga: m10bmc-sec: create max10 bmc security engine
  fpga: m10bmc-sec: expose max10 flash update counts
  fpga: m10bmc-sec: expose max10 canceled keys in sysfs
  fpga: m10bmc-sec: add max10 secure update functions
  fpga: m10bmc-sec: add max10 get_hw_errinfo callback func

 MAINTAINERS                         |   1 +
 drivers/fpga/Kconfig                |  11 +
 drivers/fpga/Makefile               |   3 +
 drivers/fpga/intel-m10-bmc-secure.c | 591 ++++++++++++++++++++++++++++
 include/linux/mfd/intel-m10-bmc.h   | 134 +++++++
 5 files changed, 740 insertions(+)
 create mode 100644 drivers/fpga/intel-m10-bmc-secure.c

-- 
2.17.1

[PATCH v2 1/6] mfd: intel-m10-bmc: support for MAX10 BMC Security Engine

[Russ Weight]

Add macros and definitions required by the MAX10 BMC
Security Engine driver.

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
---
v2:
  - These functions and macros were previously distributed among
    the patches that needed them. They are now grouped together
    in a single patch containing changes to the Intel MAX10 BMC
    driver.
  - Added DRBL_ prefix to some definitions
  - Some address definitions were moved here from the .c files that
    use them.
---
 include/linux/mfd/intel-m10-bmc.h | 134 ++++++++++++++++++++++++++++++
 1 file changed, 134 insertions(+)

diff --git a/include/linux/mfd/intel-m10-bmc.h b/include/linux/mfd/intel-m10-bmc.h
index c8ef2f1654a4..880f907302eb 100644
--- a/include/linux/mfd/intel-m10-bmc.h
+++ b/include/linux/mfd/intel-m10-bmc.h
@@ -13,6 +13,9 @@
 #define M10BMC_SYS_BASE			0x300800
 #define M10BMC_MEM_END			0x200000fc
 
+#define M10BMC_STAGING_BASE		0x18000000
+#define M10BMC_STAGING_SIZE		0x3800000
+
 /* Register offset of system registers */
 #define NIOS2_FW_VERSION		0x0
 #define M10BMC_TEST_REG			0x3c
@@ -21,6 +24,88 @@
 #define M10BMC_VER_PCB_INFO_MSK		GENMASK(31, 24)
 #define M10BMC_VER_LEGACY_INVALID	0xffffffff
 
+/* Secure update doorbell register, in system register region */
+#define M10BMC_DOORBELL			0x400
+
+/* Authorization Result register, in system register region */
+#define M10BMC_AUTH_RESULT		0x404
+
+/* Doorbell register fields */
+#define DRBL_RSU_REQUEST		BIT(0)
+#define DRBL_RSU_PROGRESS		GENMASK(7, 4)
+#define DRBL_HOST_STATUS		GENMASK(11, 8)
+#define DRBL_RSU_STATUS			GENMASK(23, 16)
+#define DRBL_PKVL_EEPROM_LOAD_SEC	BIT(24)
+#define DRBL_PKVL1_POLL_EN		BIT(25)
+#define DRBL_PKVL2_POLL_EN		BIT(26)
+#define DRBL_CONFIG_SEL			BIT(28)
+#define DRBL_REBOOT_REQ			BIT(29)
+#define DRBL_REBOOT_DISABLED		BIT(30)
+
+/* Progress states */
+#define RSU_PROG_IDLE			0x0
+#define RSU_PROG_PREPARE		0x1
+#define RSU_PROG_READY			0x3
+#define RSU_PROG_AUTHENTICATING		0x4
+#define RSU_PROG_COPYING		0x5
+#define RSU_PROG_UPDATE_CANCEL		0x6
+#define RSU_PROG_PROGRAM_KEY_HASH	0x7
+#define RSU_PROG_RSU_DONE		0x8
+#define RSU_PROG_PKVL_PROM_DONE		0x9
+
+/* Device and error states */
+#define RSU_STAT_NORMAL			0x0
+#define RSU_STAT_TIMEOUT		0x1
+#define RSU_STAT_AUTH_FAIL		0x2
+#define RSU_STAT_COPY_FAIL		0x3
+#define RSU_STAT_FATAL			0x4
+#define RSU_STAT_PKVL_REJECT		0x5
+#define RSU_STAT_NON_INC		0x6
+#define RSU_STAT_ERASE_FAIL		0x7
+#define RSU_STAT_WEAROUT		0x8
+#define RSU_STAT_NIOS_OK		0x80
+#define RSU_STAT_USER_OK		0x81
+#define RSU_STAT_FACTORY_OK		0x82
+#define RSU_STAT_USER_FAIL		0x83
+#define RSU_STAT_FACTORY_FAIL		0x84
+#define RSU_STAT_NIOS_FLASH_ERR		0x85
+#define RSU_STAT_FPGA_FLASH_ERR		0x86
+
+#define HOST_STATUS_IDLE		0x0
+#define HOST_STATUS_WRITE_DONE		0x1
+#define HOST_STATUS_ABORT_RSU		0x2
+
+#define rsu_prog(doorbell)	FIELD_GET(DRBL_RSU_PROGRESS, doorbell)
+#define rsu_stat(doorbell)	FIELD_GET(DRBL_RSU_STATUS, doorbell)
+
+/* interval 100ms and timeout 5s */
+#define NIOS_HANDSHAKE_INTERVAL_US	(100 * 1000)
+#define NIOS_HANDSHAKE_TIMEOUT_US	(5 * 1000 * 1000)
+
+/* RSU PREP Timeout (2 minutes) to erase flash staging area */
+#define RSU_PREP_INTERVAL_MS		100
+#define RSU_PREP_TIMEOUT_MS		(2 * 60 * 1000)
+
+/* RSU Complete Timeout (40 minutes) for full flash update */
+#define RSU_COMPLETE_INTERVAL_MS	1000
+#define RSU_COMPLETE_TIMEOUT_MS		(40 * 60 * 1000)
+
+/* Addresses for security related data in FLASH */
+#define BMC_REH_ADDR	0x17ffc004
+#define BMC_PROG_ADDR	0x17ffc000
+#define BMC_PROG_MAGIC	0x5746
+
+#define SR_REH_ADDR	0x17ffd004
+#define SR_PROG_ADDR	0x17ffd000
+#define SR_PROG_MAGIC	0x5253
+
+#define PR_REH_ADDR	0x17ffe004
+#define PR_PROG_ADDR	0x17ffe000
+#define PR_PROG_MAGIC	0x5250
+
+/* Address of inverted bit vector containing user the image FLASH count */
+#define USER_FLASH_COUNT 0x17ffb000
+
 /**
  * struct intel_m10bmc - Intel MAX 10 BMC parent driver data structure
  * @dev: this device
@@ -35,7 +120,11 @@ struct intel_m10bmc {
  * register access helper functions.
  *
  * m10bmc_raw_read - read m10bmc register per addr
+ * m10bmc_raw_bulk_read - bulk read max10 registers per addr
+ * m10bmc_raw_bulk_write - bulk write max10 registers per addr
+ * m10bmc_raw_update_bits - update max10 register per addr
  * m10bmc_sys_read - read m10bmc system register per offset
+ * m10bmc_sys_update_bits - update max10 system register per offset
  */
 static inline int
 m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
@@ -51,6 +140,48 @@ m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
 	return ret;
 }
 
+static inline int
+m10bmc_raw_bulk_read(struct intel_m10bmc *m10bmc, unsigned int addr,
+		     void *val, size_t cnt)
+{
+	int ret;
+
+	ret = regmap_bulk_read(m10bmc->regmap, addr, val, cnt);
+	if (ret)
+		dev_err(m10bmc->dev, "fail to read raw reg %x cnt %zx: %d\n",
+			addr, cnt, ret);
+
+	return ret;
+}
+
+static inline int
+m10bmc_raw_bulk_write(struct intel_m10bmc *m10bmc, unsigned int addr,
+		      void *val, size_t cnt)
+{
+	int ret;
+
+	ret = regmap_bulk_write(m10bmc->regmap, addr, val, cnt);
+	if (ret)
+		dev_err(m10bmc->dev, "fail to write raw reg %x cnt %zx: %d\n",
+			addr, cnt, ret);
+
+	return ret;
+}
+
+static inline int
+m10bmc_raw_update_bits(struct intel_m10bmc *m10bmc, unsigned int addr,
+		       unsigned int msk, unsigned int val)
+{
+	int ret;
+
+	ret = regmap_update_bits(m10bmc->regmap, addr, msk, val);
+	if (ret)
+		dev_err(m10bmc->dev, "fail to update raw reg %x: %d\n",
+			addr, ret);
+
+	return ret;
+}
+
 /*
  * The base of the system registers could be configured by HW developers, and
  * in HW SPEC, the base is not added to the addresses of the system registers.
@@ -62,4 +193,7 @@ m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
 #define m10bmc_sys_read(m10bmc, offset, val) \
 	m10bmc_raw_read(m10bmc, M10BMC_SYS_BASE + (offset), val)
 
+#define m10bmc_sys_update_bits(m10bmc, offset, msk, val) \
+	m10bmc_raw_update_bits(m10bmc, M10BMC_SYS_BASE + (offset), msk, val)
+
 #endif /* __MFD_INTEL_M10_BMC_H */
-- 
2.17.1

[PATCH v2 2/6] fpga: m10bmc-sec: create max10 bmc security engine

[Russ Weight]

Create a platform driver that can be invoked as a sub
driver for the Intel MAX10 BMC in order to support
secure updates. This sub-driver will invoke an
instance of the Intel FPGA Security Manager class driver
in order to expose sysfs interfaces for managing and
monitoring secure updates to FPGA and BMC images.

This patch creates the MAX10 BMC Security Engine driver and
provides support for displaying the current root entry hashes
for the FPGA static region, the FPGA PR region, and the MAX10
BMC.

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
---
v2:
  - Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
  - Switched to GENMASK(31, 16) for a couple of mask definitions.
  - Moved MAX10 BMC address and function definitions to a separate
    patch.
  - Replaced small function-creation macros with explicit function
    declarations.
  - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
  - Adapted to changes in the Intel FPGA Security Manager by splitting
    the single call to ifpga_sec_mgr_register() into two function
    calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
---
 MAINTAINERS                         |   1 +
 drivers/fpga/Kconfig                |  11 ++
 drivers/fpga/Makefile               |   3 +
 drivers/fpga/intel-m10-bmc-secure.c | 165 ++++++++++++++++++++++++++++
 4 files changed, 180 insertions(+)
 create mode 100644 drivers/fpga/intel-m10-bmc-secure.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0bb5ef309dec..c359d0214980 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -6898,6 +6898,7 @@ S:	Maintained
 F:	Documentation/ABI/testing/sysfs-class-ifpga-sec-mgr
 F:	Documentation/fpga/ifpga-sec-mgr.rst
 F:	drivers/fpga/ifpga-sec-mgr.c
+F:	drivers/fpga/intel-m10-bmc-secure.c
 F:	include/linux/fpga/ifpga-sec-mgr.h
 
 FPU EMULATOR
diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
index c534cc80f398..2380d36b08c7 100644
--- a/drivers/fpga/Kconfig
+++ b/drivers/fpga/Kconfig
@@ -235,4 +235,15 @@ config IFPGA_SEC_MGR
 	  region and for the BMC. Select this option to enable
 	  updates for secure FPGA devices.
 
+config IFPGA_M10_BMC_SECURE
+        tristate "Intel MAX10 BMC security engine"
+	depends on MFD_INTEL_M10_BMC && IFPGA_SEC_MGR
+        help
+          Secure update support for the Intel MAX10 board management
+	  controller.
+
+	  This is a subdriver of the Intel MAX10 board management controller
+	  (BMC) and provides support for secure updates for the BMC image,
+	  the FPGA image, the Root Entry Hashes, etc.
+
 endif # FPGA
diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
index 6f706590e209..8e702689cdda 100644
--- a/drivers/fpga/Makefile
+++ b/drivers/fpga/Makefile
@@ -24,6 +24,9 @@ obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT)    += altera-pr-ip-core-plat.o
 # Intel FPGA Security Manager Framework
 obj-$(CONFIG_IFPGA_SEC_MGR)		+= ifpga-sec-mgr.o
 
+# Intel Security Manager Drivers
+obj-$(CONFIG_IFPGA_M10_BMC_SECURE)	+= intel-m10-bmc-secure.o
+
 # FPGA Bridge Drivers
 obj-$(CONFIG_FPGA_BRIDGE)		+= fpga-bridge.o
 obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE)	+= altera-hps2fpga.o altera-fpga2sdram.o
diff --git a/drivers/fpga/intel-m10-bmc-secure.c b/drivers/fpga/intel-m10-bmc-secure.c
new file mode 100644
index 000000000000..df8ebda9a9cb
--- /dev/null
+++ b/drivers/fpga/intel-m10-bmc-secure.c
@@ -0,0 +1,165 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Intel Max10 Board Management Controller Security Engine Driver
+ *
+ * Copyright (C) 2019-2020 Intel Corporation. All rights reserved.
+ *
+ */
+#include <linux/bitfield.h>
+#include <linux/device.h>
+#include <linux/fpga/ifpga-sec-mgr.h>
+#include <linux/mfd/intel-m10-bmc.h>
+#include <linux/module.h>
+#include <linux/platform_device.h>
+#include <linux/vmalloc.h>
+
+struct m10bmc_sec {
+	struct device *dev;
+	struct intel_m10bmc *m10bmc;
+	struct ifpga_sec_mgr *imgr;
+};
+
+#define REH_SHA256_SIZE		32
+#define REH_SHA384_SIZE		48
+#define REH_MAGIC		GENMASK(15, 0)
+#define REH_SHA_NUM_BYTES	GENMASK(31, 16)
+
+static int m10bmc_reh_size(struct ifpga_sec_mgr *imgr,
+			   u32 exp_magic, u32 prog_addr)
+{
+	struct m10bmc_sec *sec = imgr->priv;
+	int sha_num_bytes, ret;
+	u32 magic;
+
+	ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
+	if (ret)
+		return ret;
+
+	dev_dbg(sec->dev, "%s magic 0x%08x\n", __func__, magic);
+
+	/*
+	 * If no magic number, then no REH is programmed, so
+	 * the REH size is zero.
+	 */
+	if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
+		return 0;
+
+	sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
+	if (sha_num_bytes != REH_SHA256_SIZE &&
+	    sha_num_bytes != REH_SHA384_SIZE)   {
+		dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
+			sha_num_bytes);
+		return -EINVAL;
+	}
+
+	return sha_num_bytes;
+}
+
+static int m10bmc_bmc_reh_size(struct ifpga_sec_mgr *imgr)
+{
+	return m10bmc_reh_size(imgr, BMC_PROG_MAGIC, BMC_PROG_ADDR);
+}
+
+static int m10bmc_sr_reh_size(struct ifpga_sec_mgr *imgr)
+{
+	return m10bmc_reh_size(imgr, SR_PROG_MAGIC, SR_PROG_ADDR);
+}
+
+static int m10bmc_pr_reh_size(struct ifpga_sec_mgr *imgr)
+{
+	return m10bmc_reh_size(imgr, PR_PROG_MAGIC, PR_PROG_ADDR);
+}
+
+static int m10bmc_root_entry_hash(struct ifpga_sec_mgr *imgr,
+				  u32 hash_addr, u8 *hash,
+				  unsigned int size)
+{
+	struct m10bmc_sec *sec = imgr->priv;
+	unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+	int ret;
+
+	ret = m10bmc_raw_bulk_read(sec->m10bmc, hash_addr,
+				   hash, size / stride);
+	if (ret)
+		dev_err(sec->dev, "bulk_read of 0x%x failed %d",
+			hash_addr, ret);
+
+	return ret;
+}
+
+static int m10bmc_bmc_root_entry_hash(struct ifpga_sec_mgr *imgr,
+				      u8 *hash, unsigned int size)
+{
+	return m10bmc_root_entry_hash(imgr, BMC_REH_ADDR, hash, size);
+}
+
+static int m10bmc_sr_root_entry_hash(struct ifpga_sec_mgr *imgr,
+				     u8 *hash, unsigned int size)
+{
+	return m10bmc_root_entry_hash(imgr, SR_REH_ADDR, hash, size);
+}
+
+static int m10bmc_pr_root_entry_hash(struct ifpga_sec_mgr *imgr,
+				     u8 *hash, unsigned int size)
+{
+	return m10bmc_root_entry_hash(imgr, PR_REH_ADDR, hash, size);
+}
+
+static const struct ifpga_sec_mgr_ops m10bmc_iops = {
+	.bmc_root_entry_hash = m10bmc_bmc_root_entry_hash,
+	.sr_root_entry_hash = m10bmc_sr_root_entry_hash,
+	.pr_root_entry_hash = m10bmc_pr_root_entry_hash,
+	.bmc_reh_size = m10bmc_bmc_reh_size,
+	.sr_reh_size = m10bmc_sr_reh_size,
+	.pr_reh_size = m10bmc_pr_reh_size,
+};
+
+static int m10bmc_secure_probe(struct platform_device *pdev)
+{
+	struct ifpga_sec_mgr *imgr;
+	struct m10bmc_sec *sec;
+	int ret;
+
+	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
+	if (!sec)
+		return -ENOMEM;
+
+	sec->dev = &pdev->dev;
+	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
+	dev_set_drvdata(&pdev->dev, sec);
+
+	imgr = devm_ifpga_sec_mgr_create(sec->dev, "Max10 BMC Security Manager",
+					 &m10bmc_iops, sec);
+	if (!imgr) {
+		dev_err(sec->dev,
+			"Security manager failed to start: %d\n", ret);
+		return -ENOMEM;
+	}
+
+	sec->imgr = imgr;
+
+	return ifpga_sec_mgr_register(imgr);
+}
+
+static int m10bmc_secure_remove(struct platform_device *pdev)
+{
+	struct m10bmc_sec *sec = dev_get_drvdata(&pdev->dev);
+
+	ifpga_sec_mgr_unregister(sec->imgr);
+
+	return 0;
+}
+
+static struct platform_driver intel_m10bmc_secure_driver = {
+	.probe = m10bmc_secure_probe,
+	.remove = m10bmc_secure_remove,
+	.driver = {
+		.name = "n3000bmc-secure",
+	},
+};
+module_platform_driver(intel_m10bmc_secure_driver);
+
+MODULE_ALIAS("platform:n3000bmc-secure");
+MODULE_AUTHOR("Intel Corporation");
+MODULE_DESCRIPTION("Intel MAX10 BMC secure engine");
+MODULE_LICENSE("GPL v2");
-- 
2.17.1

[PATCH v2 3/6] fpga: m10bmc-sec: expose max10 flash update counts

[Russ Weight]

Extend the MAX10 BMC Security Engine driver to provide a
handler to expose the flash update count for the FPGA user
image in sysfs.

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
---
v2:
  - Renamed get_qspi_flash_count() to m10bmc_user_flash_count()
  - Minor code cleanup per review comments
  - Added m10bmc_ prefix to functions in m10bmc_iops structure
---
 drivers/fpga/intel-m10-bmc-secure.c | 31 +++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/drivers/fpga/intel-m10-bmc-secure.c b/drivers/fpga/intel-m10-bmc-secure.c
index df8ebda9a9cb..da61cfda3c50 100644
--- a/drivers/fpga/intel-m10-bmc-secure.c
+++ b/drivers/fpga/intel-m10-bmc-secure.c
@@ -11,6 +11,7 @@
 #include <linux/mfd/intel-m10-bmc.h>
 #include <linux/module.h>
 #include <linux/platform_device.h>
+#include <linux/slab.h>
 #include <linux/vmalloc.h>
 
 struct m10bmc_sec {
@@ -105,7 +106,37 @@ static int m10bmc_pr_root_entry_hash(struct ifpga_sec_mgr *imgr,
 	return m10bmc_root_entry_hash(imgr, PR_REH_ADDR, hash, size);
 }
 
+#define FLASH_COUNT_SIZE 4096	/* count stored in inverted bit vector */
+
+static int m10bmc_user_flash_count(struct ifpga_sec_mgr *imgr)
+{
+	struct m10bmc_sec *sec = imgr->priv;
+	unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+	unsigned int num_bits = FLASH_COUNT_SIZE * 8;
+	u8 *flash_buf;
+	int ret;
+
+	flash_buf = kmalloc(FLASH_COUNT_SIZE, GFP_KERNEL);
+	if (!flash_buf)
+		return -ENOMEM;
+
+	ret = m10bmc_raw_bulk_read(sec->m10bmc, USER_FLASH_COUNT, flash_buf,
+				   FLASH_COUNT_SIZE / stride);
+	if (ret) {
+		dev_err(sec->dev, "%s failed to read %d\n", __func__, ret);
+		goto exit_free;
+	}
+
+	ret = num_bits - bitmap_weight((unsigned long *)flash_buf, num_bits);
+
+exit_free:
+	kfree(flash_buf);
+
+	return ret;
+}
+
 static const struct ifpga_sec_mgr_ops m10bmc_iops = {
+	.user_flash_count = m10bmc_user_flash_count,
 	.bmc_root_entry_hash = m10bmc_bmc_root_entry_hash,
 	.sr_root_entry_hash = m10bmc_sr_root_entry_hash,
 	.pr_root_entry_hash = m10bmc_pr_root_entry_hash,
-- 
2.17.1

[PATCH v2 4/6] fpga: m10bmc-sec: expose max10 canceled keys in sysfs

[Russ Weight]

Extend the MAX10 BMC Security Engine driver to provide a
handler to expose the canceled code signing key (CSK) bit
vectors in sysfs. These use the standard bitmap list format
(e.g. 1,2-6,9).

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
---
v2:
  - Replaced small function-creation macros for explicit function
    declarations.
  - Fixed get_csk_vector() function to properly apply the stride
    variable in calls to m10bmc_raw_bulk_read()
  - Added m10bmc_ prefix to functions in m10bmc_iops structure
---
 drivers/fpga/intel-m10-bmc-secure.c | 72 +++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/drivers/fpga/intel-m10-bmc-secure.c b/drivers/fpga/intel-m10-bmc-secure.c
index da61cfda3c50..5bb45499b332 100644
--- a/drivers/fpga/intel-m10-bmc-secure.c
+++ b/drivers/fpga/intel-m10-bmc-secure.c
@@ -135,14 +135,86 @@ static int m10bmc_user_flash_count(struct ifpga_sec_mgr *imgr)
 	return ret;
 }
 
+#define CSK_BIT_LEN			128U
+#define CSK_32ARRAY_SIZE(_nbits)	DIV_ROUND_UP(_nbits, 32)
+
+static int m10bmc_csk_cancel_nbits(struct ifpga_sec_mgr *imgr)
+{
+	return (int)CSK_BIT_LEN;
+}
+
+static int get_csk_vector(struct ifpga_sec_mgr *imgr, u32 addr,
+			  unsigned long *csk_map, unsigned int nbits)
+{
+	unsigned int i, size, arr_size = CSK_32ARRAY_SIZE(nbits);
+	struct m10bmc_sec *sec = imgr->priv;
+	unsigned int stride;
+	u32 *csk32;
+	int ret;
+
+	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+	size = arr_size * sizeof(u32);
+	csk32 = vmalloc(size);
+	if (!csk32)
+		return -ENOMEM;
+
+	ret = m10bmc_raw_bulk_read(sec->m10bmc, addr, csk32, size / stride);
+	if (ret) {
+		dev_err(sec->dev, "%s failed to read %d\n", __func__, ret);
+		goto vfree_exit;
+	}
+
+	for (i = 0; i < arr_size; i++)
+		csk32[i] = le32_to_cpu(csk32[i]);
+
+	bitmap_from_arr32(csk_map, csk32, nbits);
+	bitmap_complement(csk_map, csk_map, nbits);
+
+vfree_exit:
+	vfree(csk32);
+	return ret;
+}
+
+#define CSK_VEC_OFFSET 0x34
+
+static int m10bmc_bmc_canceled_csks(struct ifpga_sec_mgr *imgr,
+				    unsigned long *csk_map,
+				    unsigned int nbits)
+{
+	return get_csk_vector(imgr, BMC_PROG_ADDR + CSK_VEC_OFFSET,
+			      csk_map, nbits);
+}
+
+static int m10bmc_sr_canceled_csks(struct ifpga_sec_mgr *imgr,
+				   unsigned long *csk_map,
+				   unsigned int nbits)
+{
+	return get_csk_vector(imgr, SR_PROG_ADDR + CSK_VEC_OFFSET,
+			      csk_map, nbits);
+}
+
+static int m10bmc_pr_canceled_csks(struct ifpga_sec_mgr *imgr,
+				   unsigned long *csk_map,
+				   unsigned int nbits)
+{
+	return get_csk_vector(imgr, PR_PROG_ADDR + CSK_VEC_OFFSET,
+			      csk_map, nbits);
+}
+
 static const struct ifpga_sec_mgr_ops m10bmc_iops = {
 	.user_flash_count = m10bmc_user_flash_count,
 	.bmc_root_entry_hash = m10bmc_bmc_root_entry_hash,
 	.sr_root_entry_hash = m10bmc_sr_root_entry_hash,
 	.pr_root_entry_hash = m10bmc_pr_root_entry_hash,
+	.bmc_canceled_csks = m10bmc_bmc_canceled_csks,
+	.sr_canceled_csks = m10bmc_sr_canceled_csks,
+	.pr_canceled_csks = m10bmc_pr_canceled_csks,
 	.bmc_reh_size = m10bmc_bmc_reh_size,
 	.sr_reh_size = m10bmc_sr_reh_size,
 	.pr_reh_size = m10bmc_pr_reh_size,
+	.bmc_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
+	.sr_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
+	.pr_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
 };
 
 static int m10bmc_secure_probe(struct platform_device *pdev)
-- 
2.17.1

[PATCH v2 5/6] fpga: m10bmc-sec: add max10 secure update functions

[Russ Weight]

Extend the MAX10 BMC Security Engine driver to include
the functions that enable secure updates of BMC images,
FPGA images, etc.

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
---
v2:
  - Reworked the rsu_start_done() function to make it more readable
  - Reworked while-loop condition/content in rsu_prog_ready()
  - Minor code cleanup per review comments
  - Added a comment to the m10bmc_sec_poll_complete() function to
    explain the context (could take 30+ minutes to complete).
  - Added m10bmc_ prefix to functions in m10bmc_iops structure
  - Moved MAX10 BMC address and function definitions to a separate
    patch.
---
 drivers/fpga/intel-m10-bmc-secure.c | 298 ++++++++++++++++++++++++++++
 1 file changed, 298 insertions(+)

diff --git a/drivers/fpga/intel-m10-bmc-secure.c b/drivers/fpga/intel-m10-bmc-secure.c
index 5bb45499b332..a9617c5b3845 100644
--- a/drivers/fpga/intel-m10-bmc-secure.c
+++ b/drivers/fpga/intel-m10-bmc-secure.c
@@ -201,6 +201,300 @@ static int m10bmc_pr_canceled_csks(struct ifpga_sec_mgr *imgr,
 			      csk_map, nbits);
 }
 
+static void log_error_regs(struct m10bmc_sec *sec, u32 doorbell)
+{
+	u32 auth_result;
+
+	dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
+
+	if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
+		dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
+}
+
+static enum ifpga_sec_err rsu_check_idle(struct m10bmc_sec *sec)
+{
+	u32 doorbell;
+	int ret;
+
+	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+	if (ret)
+		return IFPGA_SEC_ERR_RW_ERROR;
+
+	if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
+	    rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
+		log_error_regs(sec, doorbell);
+		return IFPGA_SEC_ERR_BUSY;
+	}
+
+	return IFPGA_SEC_ERR_NONE;
+}
+
+static inline bool rsu_start_done(u32 doorbell)
+{
+	u32 status, progress;
+
+	if (doorbell & DRBL_RSU_REQUEST)
+		return false;
+
+	status = rsu_stat(doorbell);
+	if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
+		return true;
+
+	progress = rsu_prog(doorbell);
+	if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
+		return true;
+
+	return false;
+}
+
+static enum ifpga_sec_err rsu_update_init(struct m10bmc_sec *sec)
+{
+	u32 doorbell, status;
+	int ret;
+
+	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
+				     DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
+				     DRBL_RSU_REQUEST |
+				     FIELD_PREP(DRBL_HOST_STATUS,
+						HOST_STATUS_IDLE));
+	if (ret)
+		return IFPGA_SEC_ERR_RW_ERROR;
+
+	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
+				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
+				       doorbell,
+				       rsu_start_done(doorbell),
+				       NIOS_HANDSHAKE_INTERVAL_US,
+				       NIOS_HANDSHAKE_TIMEOUT_US);
+
+	if (ret == -ETIMEDOUT) {
+		log_error_regs(sec, doorbell);
+		return IFPGA_SEC_ERR_TIMEOUT;
+	} else if (ret) {
+		return IFPGA_SEC_ERR_RW_ERROR;
+	}
+
+	status = rsu_stat(doorbell);
+	if (status == RSU_STAT_WEAROUT) {
+		dev_warn(sec->dev, "Excessive flash update count detected\n");
+		return IFPGA_SEC_ERR_WEAROUT;
+	} else if (status == RSU_STAT_ERASE_FAIL) {
+		log_error_regs(sec, doorbell);
+		return IFPGA_SEC_ERR_HW_ERROR;
+	}
+
+	return IFPGA_SEC_ERR_NONE;
+}
+
+static enum ifpga_sec_err rsu_prog_ready(struct m10bmc_sec *sec)
+{
+	unsigned long poll_timeout;
+	u32 doorbell, progress;
+	int ret;
+
+	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+	if (ret)
+		return IFPGA_SEC_ERR_RW_ERROR;
+
+	poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
+	while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
+		msleep(RSU_PREP_INTERVAL_MS);
+		if (time_after(jiffies, poll_timeout))
+			break;
+
+		ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+		if (ret)
+			return IFPGA_SEC_ERR_RW_ERROR;
+	}
+
+	progress = rsu_prog(doorbell);
+	if (progress == RSU_PROG_PREPARE) {
+		log_error_regs(sec, doorbell);
+		return IFPGA_SEC_ERR_TIMEOUT;
+	} else if (progress != RSU_PROG_READY) {
+		log_error_regs(sec, doorbell);
+		return IFPGA_SEC_ERR_HW_ERROR;
+	}
+
+	return IFPGA_SEC_ERR_NONE;
+}
+
+static enum ifpga_sec_err rsu_send_data(struct m10bmc_sec *sec)
+{
+	u32 doorbell;
+	int ret;
+
+	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
+				     DRBL_HOST_STATUS,
+				     FIELD_PREP(DRBL_HOST_STATUS,
+						HOST_STATUS_WRITE_DONE));
+	if (ret)
+		return IFPGA_SEC_ERR_RW_ERROR;
+
+	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
+				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
+				       doorbell,
+				       rsu_prog(doorbell) != RSU_PROG_READY,
+				       NIOS_HANDSHAKE_INTERVAL_US,
+				       NIOS_HANDSHAKE_TIMEOUT_US);
+
+	if (ret == -ETIMEDOUT) {
+		log_error_regs(sec, doorbell);
+		return IFPGA_SEC_ERR_TIMEOUT;
+	} else if (ret) {
+		return IFPGA_SEC_ERR_RW_ERROR;
+	}
+
+	switch (rsu_stat(doorbell)) {
+	case RSU_STAT_NORMAL:
+	case RSU_STAT_NIOS_OK:
+	case RSU_STAT_USER_OK:
+	case RSU_STAT_FACTORY_OK:
+		break;
+	default:
+		log_error_regs(sec, doorbell);
+		return IFPGA_SEC_ERR_HW_ERROR;
+	}
+
+	return IFPGA_SEC_ERR_NONE;
+}
+
+static int rsu_check_complete(struct m10bmc_sec *sec, u32 *doorbell)
+{
+	if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
+		return -EIO;
+
+	switch (rsu_stat(*doorbell)) {
+	case RSU_STAT_NORMAL:
+	case RSU_STAT_NIOS_OK:
+	case RSU_STAT_USER_OK:
+	case RSU_STAT_FACTORY_OK:
+	case RSU_STAT_WEAROUT:
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	switch (rsu_prog(*doorbell)) {
+	case RSU_PROG_IDLE:
+	case RSU_PROG_RSU_DONE:
+		return 0;
+	case RSU_PROG_AUTHENTICATING:
+	case RSU_PROG_COPYING:
+	case RSU_PROG_UPDATE_CANCEL:
+	case RSU_PROG_PROGRAM_KEY_HASH:
+		return -EAGAIN;
+	default:
+		return -EINVAL;
+	}
+}
+
+static enum ifpga_sec_err m10bmc_sec_prepare(struct ifpga_sec_mgr *imgr)
+{
+	struct m10bmc_sec *sec = imgr->priv;
+	enum ifpga_sec_err ret;
+
+	if (imgr->remaining_size > M10BMC_STAGING_SIZE)
+		return IFPGA_SEC_ERR_INVALID_SIZE;
+
+	ret = rsu_check_idle(sec);
+	if (ret)
+		return ret;
+
+	ret = rsu_update_init(sec);
+	if (ret)
+		return ret;
+
+	return rsu_prog_ready(sec);
+}
+
+static enum ifpga_sec_err
+m10bmc_sec_write_blk(struct ifpga_sec_mgr *imgr, u32 offset, u32 size)
+{
+	struct m10bmc_sec *sec = imgr->priv;
+	unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+	u32 doorbell;
+	int ret;
+
+	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+	if (ret) {
+		return IFPGA_SEC_ERR_RW_ERROR;
+	} else if (rsu_prog(doorbell) != RSU_PROG_READY) {
+		log_error_regs(sec, doorbell);
+		return IFPGA_SEC_ERR_HW_ERROR;
+	}
+
+	ret = m10bmc_raw_bulk_write(sec->m10bmc, M10BMC_STAGING_BASE + offset,
+				    (void *)imgr->data + offset, size / stride);
+
+	return ret ? IFPGA_SEC_ERR_RW_ERROR : IFPGA_SEC_ERR_NONE;
+}
+
+/*
+ * m10bmc_sec_poll_complete() is called after handing things off to
+ * the BMC firmware. Depending on the type of update, it could be
+ * 30+ minutes before the BMC firmware completes the update. The
+ * imgr->driver_unload check allows the driver to be unloaded,
+ * but the BMC firmware will continue the update and no further
+ * secure updates can be started for this device until the update
+ * is complete.
+ */
+static enum ifpga_sec_err m10bmc_sec_poll_complete(struct ifpga_sec_mgr *imgr)
+{
+	struct m10bmc_sec *sec = imgr->priv;
+	unsigned long poll_timeout;
+	enum ifpga_sec_err result;
+	u32 doorbell;
+	int ret;
+
+	result = rsu_send_data(sec);
+	if (result)
+		return result;
+
+	ret = rsu_check_complete(sec, &doorbell);
+	poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
+
+	while (ret == -EAGAIN && !time_after(jiffies, poll_timeout)) {
+		msleep(RSU_COMPLETE_INTERVAL_MS);
+		ret = rsu_check_complete(sec, &doorbell);
+		if (imgr->driver_unload)
+			return IFPGA_SEC_ERR_CANCELED;
+	}
+
+	if (ret == -EAGAIN) {
+		log_error_regs(sec, doorbell);
+		return IFPGA_SEC_ERR_TIMEOUT;
+	} else if (ret == -EIO) {
+		return IFPGA_SEC_ERR_RW_ERROR;
+	} else if (ret) {
+		log_error_regs(sec, doorbell);
+		return IFPGA_SEC_ERR_HW_ERROR;
+	}
+
+	return IFPGA_SEC_ERR_NONE;
+}
+
+static enum ifpga_sec_err m10bmc_sec_cancel(struct ifpga_sec_mgr *imgr)
+{
+	struct m10bmc_sec *sec = imgr->priv;
+	u32 doorbell;
+	int ret;
+
+	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+	if (ret)
+		return IFPGA_SEC_ERR_RW_ERROR;
+
+	if (rsu_prog(doorbell) != RSU_PROG_READY)
+		return IFPGA_SEC_ERR_BUSY;
+
+	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
+				     DRBL_HOST_STATUS,
+				     FIELD_PREP(DRBL_HOST_STATUS,
+						HOST_STATUS_ABORT_RSU));
+
+	return ret ? IFPGA_SEC_ERR_RW_ERROR : IFPGA_SEC_ERR_NONE;
+}
+
 static const struct ifpga_sec_mgr_ops m10bmc_iops = {
 	.user_flash_count = m10bmc_user_flash_count,
 	.bmc_root_entry_hash = m10bmc_bmc_root_entry_hash,
@@ -215,6 +509,10 @@ static const struct ifpga_sec_mgr_ops m10bmc_iops = {
 	.bmc_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
 	.sr_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
 	.pr_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
+	.prepare = m10bmc_sec_prepare,
+	.write_blk = m10bmc_sec_write_blk,
+	.poll_complete = m10bmc_sec_poll_complete,
+	.cancel = m10bmc_sec_cancel,
 };
 
 static int m10bmc_secure_probe(struct platform_device *pdev)
-- 
2.17.1

[PATCH v2 6/6] fpga: m10bmc-sec: add max10 get_hw_errinfo callback func

[Russ Weight]

Extend the MAX10 BMC Security Engine driver to include
a function that returns 64 bits of additional HW specific
data for errors that require additional information.
This callback function enables the hw_errinfo sysfs
node in the Intel Security Manager class driver.

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
---
v2:
  - Implemented HW_ERRINFO_POISON for m10bmc_sec_hw_errinfo() to
    ensure that corresponding bits are set to 1 if we are unable
    to read the doorbell or auth_result registers.
  - Added m10bmc_ prefix to functions in m10bmc_iops structure
---
 drivers/fpga/intel-m10-bmc-secure.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/drivers/fpga/intel-m10-bmc-secure.c b/drivers/fpga/intel-m10-bmc-secure.c
index a9617c5b3845..9edc39439c97 100644
--- a/drivers/fpga/intel-m10-bmc-secure.c
+++ b/drivers/fpga/intel-m10-bmc-secure.c
@@ -495,6 +495,30 @@ static enum ifpga_sec_err m10bmc_sec_cancel(struct ifpga_sec_mgr *imgr)
 	return ret ? IFPGA_SEC_ERR_RW_ERROR : IFPGA_SEC_ERR_NONE;
 }
 
+#define HW_ERRINFO_POISON	GENMASK(31, 0)
+static u64 m10bmc_sec_hw_errinfo(struct ifpga_sec_mgr *imgr)
+{
+	struct m10bmc_sec *sec = imgr->priv;
+	u32 doorbell, auth_result;
+
+	switch (imgr->err_code) {
+	case IFPGA_SEC_ERR_HW_ERROR:
+	case IFPGA_SEC_ERR_TIMEOUT:
+	case IFPGA_SEC_ERR_BUSY:
+	case IFPGA_SEC_ERR_WEAROUT:
+		if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell))
+			doorbell = HW_ERRINFO_POISON;
+
+		if (m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT,
+				     &auth_result))
+			auth_result = HW_ERRINFO_POISON;
+
+		return (u64)doorbell << 32 | (u64)auth_result;
+	default:
+		return 0;
+	}
+}
+
 static const struct ifpga_sec_mgr_ops m10bmc_iops = {
 	.user_flash_count = m10bmc_user_flash_count,
 	.bmc_root_entry_hash = m10bmc_bmc_root_entry_hash,
@@ -513,6 +537,7 @@ static const struct ifpga_sec_mgr_ops m10bmc_iops = {
 	.write_blk = m10bmc_sec_write_blk,
 	.poll_complete = m10bmc_sec_poll_complete,
 	.cancel = m10bmc_sec_cancel,
+	.get_hw_errinfo = m10bmc_sec_hw_errinfo,
 };
 
 static int m10bmc_secure_probe(struct platform_device *pdev)
-- 
2.17.1

Re: [PATCH v2 2/6] fpga: m10bmc-sec: create max10 bmc security engine

[Randy Dunlap]

On 10/2/20 6:24 PM, Russ Weight wrote:
> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
> index c534cc80f398..2380d36b08c7 100644
> --- a/drivers/fpga/Kconfig
> +++ b/drivers/fpga/Kconfig
> @@ -235,4 +235,15 @@ config IFPGA_SEC_MGR
>  	  region and for the BMC. Select this option to enable
>  	  updates for secure FPGA devices.
>  
> +config IFPGA_M10_BMC_SECURE
> +        tristate "Intel MAX10 BMC security engine"
> +	depends on MFD_INTEL_M10_BMC && IFPGA_SEC_MGR
> +        help
> +          Secure update support for the Intel MAX10 board management
> +	  controller.
> +
> +	  This is a subdriver of the Intel MAX10 board management controller
> +	  (BMC) and provides support for secure updates for the BMC image,
> +	  the FPGA image, the Root Entry Hashes, etc.
> +
>  endif # FPGA

Dagnabit, I need a bot to do this.

Clean up the indentation in the Kconfig file.

From Documentation/process/coding-style.rst, section 10:

Lines under a ``config`` definition
are indented with one tab, while help text is indented an additional two
spaces.

checkpatch should have found that issue. Did it not?


thanks.
-- 
~Randy

Re: [PATCH v2 2/6] fpga: m10bmc-sec: create max10 bmc security engine

[Russ Weight]

On 10/2/20 8:15 PM, Randy Dunlap wrote:
> On 10/2/20 6:24 PM, Russ Weight wrote:
>> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
>> index c534cc80f398..2380d36b08c7 100644
>> --- a/drivers/fpga/Kconfig
>> +++ b/drivers/fpga/Kconfig
>> @@ -235,4 +235,15 @@ config IFPGA_SEC_MGR
>>  	  region and for the BMC. Select this option to enable
>>  	  updates for secure FPGA devices.
>>  
>> +config IFPGA_M10_BMC_SECURE
>> +        tristate "Intel MAX10 BMC security engine"
>> +	depends on MFD_INTEL_M10_BMC && IFPGA_SEC_MGR
>> +        help
>> +          Secure update support for the Intel MAX10 board management
>> +	  controller.
>> +
>> +	  This is a subdriver of the Intel MAX10 board management controller
>> +	  (BMC) and provides support for secure updates for the BMC image,
>> +	  the FPGA image, the Root Entry Hashes, etc.
>> +
>>  endif # FPGA
> Dagnabit, I need a bot to do this.
>
> Clean up the indentation in the Kconfig file.
>
> From Documentation/process/coding-style.rst, section 10:
>
> Lines under a ``config`` definition
> are indented with one tab, while help text is indented an additional two
> spaces.
>
> checkpatch should have found that issue. Did it not?
Sorry - I thought I had addressed the indentation errors after the first submission.
I'll fix it.

I am running checkpatch.pl --strict, and I did not see a warning/error for this.
>
>
> thanks.

Re: [PATCH v2 2/6] fpga: m10bmc-sec: create max10 bmc security engine

[Randy Dunlap]

On 10/4/20 11:01 AM, Russ Weight wrote:
> 
> 
> On 10/2/20 8:15 PM, Randy Dunlap wrote:
>> On 10/2/20 6:24 PM, Russ Weight wrote:
>>> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
>>> index c534cc80f398..2380d36b08c7 100644
>>> --- a/drivers/fpga/Kconfig
>>> +++ b/drivers/fpga/Kconfig
>>> @@ -235,4 +235,15 @@ config IFPGA_SEC_MGR
>>>  	  region and for the BMC. Select this option to enable
>>>  	  updates for secure FPGA devices.
>>>  
>>> +config IFPGA_M10_BMC_SECURE
>>> +        tristate "Intel MAX10 BMC security engine"
>>> +	depends on MFD_INTEL_M10_BMC && IFPGA_SEC_MGR
>>> +        help
>>> +          Secure update support for the Intel MAX10 board management
>>> +	  controller.
>>> +
>>> +	  This is a subdriver of the Intel MAX10 board management controller
>>> +	  (BMC) and provides support for secure updates for the BMC image,
>>> +	  the FPGA image, the Root Entry Hashes, etc.
>>> +
>>>  endif # FPGA
>> Dagnabit, I need a bot to do this.
>>
>> Clean up the indentation in the Kconfig file.
>>
>> From Documentation/process/coding-style.rst, section 10:
>>
>> Lines under a ``config`` definition
>> are indented with one tab, while help text is indented an additional two
>> spaces.
>>
>> checkpatch should have found that issue. Did it not?
> Sorry - I thought I had addressed the indentation errors after the first submission.
> I'll fix it.
> 
> I am running checkpatch.pl --strict, and I did not see a warning/error for this.

OK, I looked at checkpatch.pl and I don't see any checks for that.

I'll just work on a pseudo-bot then.

thanks.

-- 
~Randy

Re: [PATCH v2 1/6] mfd: intel-m10-bmc: support for MAX10 BMC Security Engine

[Tom Rix]

On 10/2/20 6:24 PM, Russ Weight wrote:
> Add macros and definitions required by the MAX10 BMC
> Security Engine driver.
>
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> ---
> v2:
>   - These functions and macros were previously distributed among
>     the patches that needed them. They are now grouped together
>     in a single patch containing changes to the Intel MAX10 BMC
>     driver.
>   - Added DRBL_ prefix to some definitions
>   - Some address definitions were moved here from the .c files that
>     use them.
> ---
>  include/linux/mfd/intel-m10-bmc.h | 134 ++++++++++++++++++++++++++++++
>  1 file changed, 134 insertions(+)
>
> diff --git a/include/linux/mfd/intel-m10-bmc.h b/include/linux/mfd/intel-m10-bmc.h
> index c8ef2f1654a4..880f907302eb 100644
> --- a/include/linux/mfd/intel-m10-bmc.h
> +++ b/include/linux/mfd/intel-m10-bmc.h
> @@ -13,6 +13,9 @@
>  #define M10BMC_SYS_BASE			0x300800
>  #define M10BMC_MEM_END			0x200000fc
>  
> +#define M10BMC_STAGING_BASE		0x18000000
> +#define M10BMC_STAGING_SIZE		0x3800000

The staging size is not used, please use it in m10bmc_sec_write_blk to

check the input parameter 'size'

> +
>  /* Register offset of system registers */
>  #define NIOS2_FW_VERSION		0x0
>  #define M10BMC_TEST_REG			0x3c
> @@ -21,6 +24,88 @@
>  #define M10BMC_VER_PCB_INFO_MSK		GENMASK(31, 24)
>  #define M10BMC_VER_LEGACY_INVALID	0xffffffff
>  
> +/* Secure update doorbell register, in system register region */
> +#define M10BMC_DOORBELL			0x400
> +
> +/* Authorization Result register, in system register region */
> +#define M10BMC_AUTH_RESULT		0x404
> +
> +/* Doorbell register fields */
> +#define DRBL_RSU_REQUEST		BIT(0)
> +#define DRBL_RSU_PROGRESS		GENMASK(7, 4)
> +#define DRBL_HOST_STATUS		GENMASK(11, 8)
> +#define DRBL_RSU_STATUS			GENMASK(23, 16)
> +#define DRBL_PKVL_EEPROM_LOAD_SEC	BIT(24)
> +#define DRBL_PKVL1_POLL_EN		BIT(25)
> +#define DRBL_PKVL2_POLL_EN		BIT(26)

PKVL seems like it would be n3000 specific.

For this and similar it may be good to add a _N3000_ in the name.

> +#define DRBL_CONFIG_SEL			BIT(28)
> +#define DRBL_REBOOT_REQ			BIT(29)
> +#define DRBL_REBOOT_DISABLED		BIT(30)
> +
> +/* Progress states */
> +#define RSU_PROG_IDLE			0x0
> +#define RSU_PROG_PREPARE		0x1
> +#define RSU_PROG_READY			0x3
> +#define RSU_PROG_AUTHENTICATING		0x4
> +#define RSU_PROG_COPYING		0x5
> +#define RSU_PROG_UPDATE_CANCEL		0x6
> +#define RSU_PROG_PROGRAM_KEY_HASH	0x7
> +#define RSU_PROG_RSU_DONE		0x8
> +#define RSU_PROG_PKVL_PROM_DONE		0x9
> +
> +/* Device and error states */
> +#define RSU_STAT_NORMAL			0x0
> +#define RSU_STAT_TIMEOUT		0x1
> +#define RSU_STAT_AUTH_FAIL		0x2
> +#define RSU_STAT_COPY_FAIL		0x3
> +#define RSU_STAT_FATAL			0x4
> +#define RSU_STAT_PKVL_REJECT		0x5
> +#define RSU_STAT_NON_INC		0x6
> +#define RSU_STAT_ERASE_FAIL		0x7
> +#define RSU_STAT_WEAROUT		0x8
> +#define RSU_STAT_NIOS_OK		0x80
> +#define RSU_STAT_USER_OK		0x81
> +#define RSU_STAT_FACTORY_OK		0x82
> +#define RSU_STAT_USER_FAIL		0x83
> +#define RSU_STAT_FACTORY_FAIL		0x84
> +#define RSU_STAT_NIOS_FLASH_ERR		0x85
> +#define RSU_STAT_FPGA_FLASH_ERR		0x86
> +
> +#define HOST_STATUS_IDLE		0x0
> +#define HOST_STATUS_WRITE_DONE		0x1
> +#define HOST_STATUS_ABORT_RSU		0x2
> +
> +#define rsu_prog(doorbell)	FIELD_GET(DRBL_RSU_PROGRESS, doorbell)
> +#define rsu_stat(doorbell)	FIELD_GET(DRBL_RSU_STATUS, doorbell)
> +
> +/* interval 100ms and timeout 5s */
> +#define NIOS_HANDSHAKE_INTERVAL_US	(100 * 1000)
> +#define NIOS_HANDSHAKE_TIMEOUT_US	(5 * 1000 * 1000)
> +
> +/* RSU PREP Timeout (2 minutes) to erase flash staging area */
> +#define RSU_PREP_INTERVAL_MS		100
> +#define RSU_PREP_TIMEOUT_MS		(2 * 60 * 1000)
> +
> +/* RSU Complete Timeout (40 minutes) for full flash update */
> +#define RSU_COMPLETE_INTERVAL_MS	1000
> +#define RSU_COMPLETE_TIMEOUT_MS		(40 * 60 * 1000)

minutes is an unusual timeout unit.

It may be worthwhile to spell out MINUTES to avoid confusing with micro seconds.

Tom

> +
> +/* Addresses for security related data in FLASH */
> +#define BMC_REH_ADDR	0x17ffc004
> +#define BMC_PROG_ADDR	0x17ffc000
> +#define BMC_PROG_MAGIC	0x5746
> +
> +#define SR_REH_ADDR	0x17ffd004
> +#define SR_PROG_ADDR	0x17ffd000
> +#define SR_PROG_MAGIC	0x5253
> +
> +#define PR_REH_ADDR	0x17ffe004
> +#define PR_PROG_ADDR	0x17ffe000
> +#define PR_PROG_MAGIC	0x5250
> +
> +/* Address of inverted bit vector containing user the image FLASH count */
> +#define USER_FLASH_COUNT 0x17ffb000
> +
>  /**
>   * struct intel_m10bmc - Intel MAX 10 BMC parent driver data structure
>   * @dev: this device
> @@ -35,7 +120,11 @@ struct intel_m10bmc {
>   * register access helper functions.
>   *
>   * m10bmc_raw_read - read m10bmc register per addr
> + * m10bmc_raw_bulk_read - bulk read max10 registers per addr
> + * m10bmc_raw_bulk_write - bulk write max10 registers per addr
> + * m10bmc_raw_update_bits - update max10 register per addr
>   * m10bmc_sys_read - read m10bmc system register per offset
> + * m10bmc_sys_update_bits - update max10 system register per offset
>   */
>  static inline int
>  m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
> @@ -51,6 +140,48 @@ m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>  	return ret;
>  }
>  
> +static inline int
> +m10bmc_raw_bulk_read(struct intel_m10bmc *m10bmc, unsigned int addr,
> +		     void *val, size_t cnt)
> +{
> +	int ret;
> +
> +	ret = regmap_bulk_read(m10bmc->regmap, addr, val, cnt);
> +	if (ret)
> +		dev_err(m10bmc->dev, "fail to read raw reg %x cnt %zx: %d\n",
> +			addr, cnt, ret);
> +
> +	return ret;
> +}
> +
> +static inline int
> +m10bmc_raw_bulk_write(struct intel_m10bmc *m10bmc, unsigned int addr,
> +		      void *val, size_t cnt)
> +{
> +	int ret;
> +
> +	ret = regmap_bulk_write(m10bmc->regmap, addr, val, cnt);
> +	if (ret)
> +		dev_err(m10bmc->dev, "fail to write raw reg %x cnt %zx: %d\n",
> +			addr, cnt, ret);
> +
> +	return ret;
> +}
> +
> +static inline int
> +m10bmc_raw_update_bits(struct intel_m10bmc *m10bmc, unsigned int addr,
> +		       unsigned int msk, unsigned int val)
> +{
> +	int ret;
> +
> +	ret = regmap_update_bits(m10bmc->regmap, addr, msk, val);
> +	if (ret)
> +		dev_err(m10bmc->dev, "fail to update raw reg %x: %d\n",
> +			addr, ret);
> +
> +	return ret;
> +}
> +
>  /*
>   * The base of the system registers could be configured by HW developers, and
>   * in HW SPEC, the base is not added to the addresses of the system registers.
> @@ -62,4 +193,7 @@ m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>  #define m10bmc_sys_read(m10bmc, offset, val) \
>  	m10bmc_raw_read(m10bmc, M10BMC_SYS_BASE + (offset), val)
>  
> +#define m10bmc_sys_update_bits(m10bmc, offset, msk, val) \
> +	m10bmc_raw_update_bits(m10bmc, M10BMC_SYS_BASE + (offset), msk, val)
> +
>  #endif /* __MFD_INTEL_M10_BMC_H */

Re: [PATCH v2 2/6] fpga: m10bmc-sec: create max10 bmc security engine

[Tom Rix]

On 10/2/20 6:24 PM, Russ Weight wrote:
> Create a platform driver that can be invoked as a sub
> driver for the Intel MAX10 BMC in order to support
> secure updates. This sub-driver will invoke an
> instance of the Intel FPGA Security Manager class driver
> in order to expose sysfs interfaces for managing and
> monitoring secure updates to FPGA and BMC images.
>
> This patch creates the MAX10 BMC Security Engine driver and
> provides support for displaying the current root entry hashes
> for the FPGA static region, the FPGA PR region, and the MAX10
> BMC.
>
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> ---
> v2:
>   - Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
>   - Switched to GENMASK(31, 16) for a couple of mask definitions.
>   - Moved MAX10 BMC address and function definitions to a separate
>     patch.
>   - Replaced small function-creation macros with explicit function
>     declarations.
>   - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
>   - Adapted to changes in the Intel FPGA Security Manager by splitting
>     the single call to ifpga_sec_mgr_register() into two function
>     calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
> ---
>  MAINTAINERS                         |   1 +
>  drivers/fpga/Kconfig                |  11 ++
>  drivers/fpga/Makefile               |   3 +
>  drivers/fpga/intel-m10-bmc-secure.c | 165 ++++++++++++++++++++++++++++
>  4 files changed, 180 insertions(+)
>  create mode 100644 drivers/fpga/intel-m10-bmc-secure.c
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 0bb5ef309dec..c359d0214980 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -6898,6 +6898,7 @@ S:	Maintained
>  F:	Documentation/ABI/testing/sysfs-class-ifpga-sec-mgr
>  F:	Documentation/fpga/ifpga-sec-mgr.rst
>  F:	drivers/fpga/ifpga-sec-mgr.c
> +F:	drivers/fpga/intel-m10-bmc-secure.c
>  F:	include/linux/fpga/ifpga-sec-mgr.h
>  
>  FPU EMULATOR
> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
> index c534cc80f398..2380d36b08c7 100644
> --- a/drivers/fpga/Kconfig
> +++ b/drivers/fpga/Kconfig
> @@ -235,4 +235,15 @@ config IFPGA_SEC_MGR
>  	  region and for the BMC. Select this option to enable
>  	  updates for secure FPGA devices.
>  
> +config IFPGA_M10_BMC_SECURE
> +        tristate "Intel MAX10 BMC security engine"
> +	depends on MFD_INTEL_M10_BMC && IFPGA_SEC_MGR
> +        help
> +          Secure update support for the Intel MAX10 board management
> +	  controller.
> +
> +	  This is a subdriver of the Intel MAX10 board management controller
> +	  (BMC) and provides support for secure updates for the BMC image,
> +	  the FPGA image, the Root Entry Hashes, etc.
> +
>  endif # FPGA
> diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
> index 6f706590e209..8e702689cdda 100644
> --- a/drivers/fpga/Makefile
> +++ b/drivers/fpga/Makefile
> @@ -24,6 +24,9 @@ obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT)    += altera-pr-ip-core-plat.o
>  # Intel FPGA Security Manager Framework
>  obj-$(CONFIG_IFPGA_SEC_MGR)		+= ifpga-sec-mgr.o
>  
> +# Intel Security Manager Drivers
> +obj-$(CONFIG_IFPGA_M10_BMC_SECURE)	+= intel-m10-bmc-secure.o
> +
>  # FPGA Bridge Drivers
>  obj-$(CONFIG_FPGA_BRIDGE)		+= fpga-bridge.o
>  obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE)	+= altera-hps2fpga.o altera-fpga2sdram.o
> diff --git a/drivers/fpga/intel-m10-bmc-secure.c b/drivers/fpga/intel-m10-bmc-secure.c
> new file mode 100644
> index 000000000000..df8ebda9a9cb
> --- /dev/null
> +++ b/drivers/fpga/intel-m10-bmc-secure.c
> @@ -0,0 +1,165 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Intel Max10 Board Management Controller Security Engine Driver
> + *
> + * Copyright (C) 2019-2020 Intel Corporation. All rights reserved.
> + *
> + */
> +#include <linux/bitfield.h>
> +#include <linux/device.h>
> +#include <linux/fpga/ifpga-sec-mgr.h>
> +#include <linux/mfd/intel-m10-bmc.h>
> +#include <linux/module.h>
> +#include <linux/platform_device.h>
> +#include <linux/vmalloc.h>
> +
> +struct m10bmc_sec {
> +	struct device *dev;
> +	struct intel_m10bmc *m10bmc;
> +	struct ifpga_sec_mgr *imgr;
> +};
> +
> +#define REH_SHA256_SIZE		32
> +#define REH_SHA384_SIZE		48
> +#define REH_MAGIC		GENMASK(15, 0)
> +#define REH_SHA_NUM_BYTES	GENMASK(31, 16)
> +
> +static int m10bmc_reh_size(struct ifpga_sec_mgr *imgr,
> +			   u32 exp_magic, u32 prog_addr)
> +{
> +	struct m10bmc_sec *sec = imgr->priv;
> +	int sha_num_bytes, ret;
> +	u32 magic;
> +
> +	ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
> +	if (ret)
> +		return ret;
> +
> +	dev_dbg(sec->dev, "%s magic 0x%08x\n", __func__, magic);
> +
> +	/*
> +	 * If no magic number, then no REH is programmed, so
> +	 * the REH size is zero.
> +	 */
> +	if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
> +		return 0;
> +
> +	sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
> +	if (sha_num_bytes != REH_SHA256_SIZE &&
> +	    sha_num_bytes != REH_SHA384_SIZE)   {
> +		dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
> +			sha_num_bytes);
> +		return -EINVAL;
> +	}
> +
> +	return sha_num_bytes;
> +}
> +
> +static int m10bmc_bmc_reh_size(struct ifpga_sec_mgr *imgr)

For naming consistency, the _reh_ vs _root_entry_hash_

pick one.

If you pick _reh_ put a comment at the top since reh isn't a familiar acronym (at least to me)

> +{
> +	return m10bmc_reh_size(imgr, BMC_PROG_MAGIC, BMC_PROG_ADDR);
> +}
> +
> +static int m10bmc_sr_reh_size(struct ifpga_sec_mgr *imgr)
> +{
> +	return m10bmc_reh_size(imgr, SR_PROG_MAGIC, SR_PROG_ADDR);
> +}
> +
> +static int m10bmc_pr_reh_size(struct ifpga_sec_mgr *imgr)
> +{
> +	return m10bmc_reh_size(imgr, PR_PROG_MAGIC, PR_PROG_ADDR);
> +}
> +
> +static int m10bmc_root_entry_hash(struct ifpga_sec_mgr *imgr,
> +				  u32 hash_addr, u8 *hash,
> +				  unsigned int size)
> +{
> +	struct m10bmc_sec *sec = imgr->priv;
> +	unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> +	int ret;
> +
> +	ret = m10bmc_raw_bulk_read(sec->m10bmc, hash_addr,
> +				   hash, size / stride);
> +	if (ret)
> +		dev_err(sec->dev, "bulk_read of 0x%x failed %d",
> +			hash_addr, ret);
> +
> +	return ret;
> +}
> +
> +static int m10bmc_bmc_root_entry_hash(struct ifpga_sec_mgr *imgr,
> +				      u8 *hash, unsigned int size)
> +{
> +	return m10bmc_root_entry_hash(imgr, BMC_REH_ADDR, hash, size);
> +}
> +
> +static int m10bmc_sr_root_entry_hash(struct ifpga_sec_mgr *imgr,
> +				     u8 *hash, unsigned int size)
> +{
> +	return m10bmc_root_entry_hash(imgr, SR_REH_ADDR, hash, size);
> +}
> +
> +static int m10bmc_pr_root_entry_hash(struct ifpga_sec_mgr *imgr,
> +				     u8 *hash, unsigned int size)
> +{
> +	return m10bmc_root_entry_hash(imgr, PR_REH_ADDR, hash, size);
> +}
> +
> +static const struct ifpga_sec_mgr_ops m10bmc_iops = {
> +	.bmc_root_entry_hash = m10bmc_bmc_root_entry_hash,
> +	.sr_root_entry_hash = m10bmc_sr_root_entry_hash,
> +	.pr_root_entry_hash = m10bmc_pr_root_entry_hash,
> +	.bmc_reh_size = m10bmc_bmc_reh_size,
> +	.sr_reh_size = m10bmc_sr_reh_size,
> +	.pr_reh_size = m10bmc_pr_reh_size,
> +};
> +
> +static int m10bmc_secure_probe(struct platform_device *pdev)
> +{
> +	struct ifpga_sec_mgr *imgr;
> +	struct m10bmc_sec *sec;
> +	int ret;
> +
> +	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
> +	if (!sec)
> +		return -ENOMEM;
> +
> +	sec->dev = &pdev->dev;
> +	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
> +	dev_set_drvdata(&pdev->dev, sec);
> +
> +	imgr = devm_ifpga_sec_mgr_create(sec->dev, "Max10 BMC Security Manager",
> +					 &m10bmc_iops, sec);
> +	if (!imgr) {
> +		dev_err(sec->dev,
> +			"Security manager failed to start: %d\n", ret);
> +		return -ENOMEM;
> +	}
> +
> +	sec->imgr = imgr;
> +
> +	return ifpga_sec_mgr_register(imgr);
> +}
> +
> +static int m10bmc_secure_remove(struct platform_device *pdev)
> +{
> +	struct m10bmc_sec *sec = dev_get_drvdata(&pdev->dev);
> +
> +	ifpga_sec_mgr_unregister(sec->imgr);
> +
> +	return 0;
> +}
> +
> +static struct platform_driver intel_m10bmc_secure_driver = {
> +	.probe = m10bmc_secure_probe,
> +	.remove = m10bmc_secure_remove,
> +	.driver = {
> +		.name = "n3000bmc-secure",
> +	},
> +};
> +module_platform_driver(intel_m10bmc_secure_driver);
> +
> +MODULE_ALIAS("platform:n3000bmc-secure");
> +MODULE_AUTHOR("Intel Corporation");
> +MODULE_DESCRIPTION("Intel MAX10 BMC secure engine");

Maybe "... secure update"

Tom

> +MODULE_LICENSE("GPL v2");

Re: [PATCH v2 3/6] fpga: m10bmc-sec: expose max10 flash update counts

[Tom Rix]

On 10/2/20 6:24 PM, Russ Weight wrote:
> Extend the MAX10 BMC Security Engine driver to provide a
> handler to expose the flash update count for the FPGA user
> image in sysfs.
>
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> ---
> v2:
>   - Renamed get_qspi_flash_count() to m10bmc_user_flash_count()
>   - Minor code cleanup per review comments
>   - Added m10bmc_ prefix to functions in m10bmc_iops structure
> ---
>  drivers/fpga/intel-m10-bmc-secure.c | 31 +++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)

Looks fine.

Reviewed-by: Tom Rix <trix@redhat.com>

Re: [PATCH v2 4/6] fpga: m10bmc-sec: expose max10 canceled keys in sysfs

[Tom Rix]

On 10/2/20 6:24 PM, Russ Weight wrote:
> Extend the MAX10 BMC Security Engine driver to provide a
> handler to expose the canceled code signing key (CSK) bit
> vectors in sysfs. These use the standard bitmap list format
> (e.g. 1,2-6,9).
>
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> ---
> v2:
>   - Replaced small function-creation macros for explicit function
>     declarations.
>   - Fixed get_csk_vector() function to properly apply the stride
>     variable in calls to m10bmc_raw_bulk_read()
>   - Added m10bmc_ prefix to functions in m10bmc_iops structure

Looks ok to me.

Reviewed-by: Tom Rix <trix@redhat.com>

Re: [PATCH v2 5/6] fpga: m10bmc-sec: add max10 secure update functions

[Tom Rix]

On 10/2/20 6:24 PM, Russ Weight wrote:
> Extend the MAX10 BMC Security Engine driver to include
> the functions that enable secure updates of BMC images,
> FPGA images, etc.
>
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> ---
> v2:
>   - Reworked the rsu_start_done() function to make it more readable
>   - Reworked while-loop condition/content in rsu_prog_ready()
>   - Minor code cleanup per review comments
>   - Added a comment to the m10bmc_sec_poll_complete() function to
>     explain the context (could take 30+ minutes to complete).
>   - Added m10bmc_ prefix to functions in m10bmc_iops structure
>   - Moved MAX10 BMC address and function definitions to a separate
>     patch.
> ---
>  drivers/fpga/intel-m10-bmc-secure.c | 298 ++++++++++++++++++++++++++++
>  1 file changed, 298 insertions(+)
>
> diff --git a/drivers/fpga/intel-m10-bmc-secure.c b/drivers/fpga/intel-m10-bmc-secure.c
> index 5bb45499b332..a9617c5b3845 100644
> --- a/drivers/fpga/intel-m10-bmc-secure.c
> +++ b/drivers/fpga/intel-m10-bmc-secure.c
> @@ -201,6 +201,300 @@ static int m10bmc_pr_canceled_csks(struct ifpga_sec_mgr *imgr,
>  			      csk_map, nbits);
>  }
>  
> +static void log_error_regs(struct m10bmc_sec *sec, u32 doorbell)
> +{
> +	u32 auth_result;
> +
> +	dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
> +
> +	if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
> +		dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
> +}
> +
> +static enum ifpga_sec_err rsu_check_idle(struct m10bmc_sec *sec)
> +{
> +	u32 doorbell;
> +	int ret;
> +
> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> +	if (ret)
> +		return IFPGA_SEC_ERR_RW_ERROR;
> +
> +	if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
> +	    rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
> +		log_error_regs(sec, doorbell);
> +		return IFPGA_SEC_ERR_BUSY;
> +	}
> +
> +	return IFPGA_SEC_ERR_NONE;
> +}
> +
> +static inline bool rsu_start_done(u32 doorbell)
> +{
> +	u32 status, progress;
> +
> +	if (doorbell & DRBL_RSU_REQUEST)
> +		return false;
> +
> +	status = rsu_stat(doorbell);
> +	if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
> +		return true;
> +
> +	progress = rsu_prog(doorbell);
> +	if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
> +		return true;
> +
> +	return false;
> +}
> +
> +static enum ifpga_sec_err rsu_update_init(struct m10bmc_sec *sec)
> +{
> +	u32 doorbell, status;
> +	int ret;
> +
> +	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
> +				     DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
> +				     DRBL_RSU_REQUEST |
> +				     FIELD_PREP(DRBL_HOST_STATUS,
> +						HOST_STATUS_IDLE));
> +	if (ret)
> +		return IFPGA_SEC_ERR_RW_ERROR;
> +
> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
> +				       doorbell,
> +				       rsu_start_done(doorbell),
> +				       NIOS_HANDSHAKE_INTERVAL_US,
> +				       NIOS_HANDSHAKE_TIMEOUT_US);
> +
> +	if (ret == -ETIMEDOUT) {
> +		log_error_regs(sec, doorbell);
> +		return IFPGA_SEC_ERR_TIMEOUT;
> +	} else if (ret) {
> +		return IFPGA_SEC_ERR_RW_ERROR;
> +	}
> +
> +	status = rsu_stat(doorbell);
> +	if (status == RSU_STAT_WEAROUT) {
> +		dev_warn(sec->dev, "Excessive flash update count detected\n");

Device is permanently failing, dev_err or higher is more appropriate than dev_warn.

warn once to limit noisy logs.

> +		return IFPGA_SEC_ERR_WEAROUT;
> +	} else if (status == RSU_STAT_ERASE_FAIL) {
> +		log_error_regs(sec, doorbell);
> +		return IFPGA_SEC_ERR_HW_ERROR;
> +	}
> +
> +	return IFPGA_SEC_ERR_NONE;
> +}
> +
> +static enum ifpga_sec_err (struct m10bmc_sec *sec)
> +{
> +	unsigned long poll_timeout;
> +	u32 doorbell, progress;
> +	int ret;
> +
> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> +	if (ret)
> +		return IFPGA_SEC_ERR_RW_ERROR;
> +
> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
> +	while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
> +		msleep(RSU_PREP_INTERVAL_MS);
> +		if (time_after(jiffies, poll_timeout))
> +			break;
> +
> +		ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> +		if (ret)
> +			return IFPGA_SEC_ERR_RW_ERROR;
> +	}
> +
> +	progress = rsu_prog(doorbell);
> +	if (progress == RSU_PROG_PREPARE) {
> +		log_error_regs(sec, doorbell);
> +		return IFPGA_SEC_ERR_TIMEOUT;
> +	} else if (progress != RSU_PROG_READY) {
> +		log_error_regs(sec, doorbell);
> +		return IFPGA_SEC_ERR_HW_ERROR;
> +	}
> +
> +	return IFPGA_SEC_ERR_NONE;
> +}
> +
> +static enum ifpga_sec_err rsu_send_data(struct m10bmc_sec *sec)
> +{
> +	u32 doorbell;
> +	int ret;
> +
> +	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
> +				     DRBL_HOST_STATUS,
> +				     FIELD_PREP(DRBL_HOST_STATUS,
> +						HOST_STATUS_WRITE_DONE));
> +	if (ret)
> +		return IFPGA_SEC_ERR_RW_ERROR;
> +
> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
> +				       doorbell,
> +				       rsu_prog(doorbell) != RSU_PROG_READY,
> +				       NIOS_HANDSHAKE_INTERVAL_US,
> +				       NIOS_HANDSHAKE_TIMEOUT_US);
> +
> +	if (ret == -ETIMEDOUT) {
> +		log_error_regs(sec, doorbell);
> +		return IFPGA_SEC_ERR_TIMEOUT;
> +	} else if (ret) {
> +		return IFPGA_SEC_ERR_RW_ERROR;
> +	}
> +
> +	switch (rsu_stat(doorbell)) {
> +	case RSU_STAT_NORMAL:
> +	case RSU_STAT_NIOS_OK:
> +	case RSU_STAT_USER_OK:
> +	case RSU_STAT_FACTORY_OK:
> +		break;
> +	default:
> +		log_error_regs(sec, doorbell);
> +		return IFPGA_SEC_ERR_HW_ERROR;
> +	}

This and similar below..

switch can be converted to

if (!rsu_stat(doorbell) & (RSU_STAT_NORMAL | ... ))

  fail

> +
> +	return IFPGA_SEC_ERR_NONE;
> +}
> +
> +static int rsu_check_complete(struct m10bmc_sec *sec, u32 *doorbell)
> +{
> +	if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
> +		return -EIO;
> +
> +	switch (rsu_stat(*doorbell)) {
> +	case RSU_STAT_NORMAL:
> +	case RSU_STAT_NIOS_OK:
> +	case RSU_STAT_USER_OK:
> +	case RSU_STAT_FACTORY_OK:
> +	case RSU_STAT_WEAROUT:
> +		break;
> +	default:
> +		return -EINVAL;
> +	}
> +
> +	switch (rsu_prog(*doorbell)) {
> +	case RSU_PROG_IDLE:
> +	case RSU_PROG_RSU_DONE:
> +		return 0;
> +	case RSU_PROG_AUTHENTICATING:
> +	case RSU_PROG_COPYING:
> +	case RSU_PROG_UPDATE_CANCEL:
> +	case RSU_PROG_PROGRAM_KEY_HASH:
> +		return -EAGAIN;
> +	default:
> +		return -EINVAL;
> +	}
> +}
> +
> +static enum ifpga_sec_err m10bmc_sec_prepare(struct ifpga_sec_mgr *imgr)
> +{
> +	struct m10bmc_sec *sec = imgr->priv;
> +	enum ifpga_sec_err ret;
> +
> +	if (imgr->remaining_size > M10BMC_STAGING_SIZE)
> +		return IFPGA_SEC_ERR_INVALID_SIZE;
> +
> +	ret = rsu_check_idle(sec);
> +	if (ret)

This needs to change, generally, to

if (ret != IFPGA_SEC_ERR_NONE)

> +		return ret;
> +
> +	ret = rsu_update_init(sec);
> +	if (ret)
> +		return ret;
> +
> +	return rsu_prog_ready(sec);
> +}
> +
> +static enum ifpga_sec_err
> +m10bmc_sec_write_blk(struct ifpga_sec_mgr *imgr, u32 offset, u32 size)
> +{
> +	struct m10bmc_sec *sec = imgr->priv;
> +	unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> +	u32 doorbell;
> +	int ret;
> +
size check here.
> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);

Wondering about the use of m10bmc_sys_read generally.

If secure writing depends on new mmio region why not use the raw_read ?

wondering if mixing old door bell regs with new sec regs would even work.

> +	if (ret) {
> +		return IFPGA_SEC_ERR_RW_ERROR;
> +	} else if (rsu_prog(doorbell) != RSU_PROG_READY) {
> +		log_error_regs(sec, doorbell);
> +		return IFPGA_SEC_ERR_HW_ERROR;
> +	}
> +
> +	ret = m10bmc_raw_bulk_write(sec->m10bmc, M10BMC_STAGING_BASE + offset,
> +				    (void *)imgr->data + offset, size / stride);
> +
> +	return ret ? IFPGA_SEC_ERR_RW_ERROR : IFPGA_SEC_ERR_NONE;
> +}
> +
> +/*
> + * m10bmc_sec_poll_complete() is called after handing things off to
> + * the BMC firmware. Depending on the type of update, it could be
> + * 30+ minutes before the BMC firmware completes the update. The
> + * imgr->driver_unload check allows the driver to be unloaded,
> + * but the BMC firmware will continue the update and no further
> + * secure updates can be started for this device until the update
> + * is complete.
> + */
> +static enum ifpga_sec_err m10bmc_sec_poll_complete(struct ifpga_sec_mgr *imgr)
> +{
> +	struct m10bmc_sec *sec = imgr->priv;
> +	unsigned long poll_timeout;
> +	enum ifpga_sec_err result;
> +	u32 doorbell;
> +	int ret;
> +
> +	result = rsu_send_data(sec);
> +	if (result)
> +		return result;
> +
> +	ret = rsu_check_complete(sec, &doorbell);
> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
> +
> +	while (ret == -EAGAIN && !time_after(jiffies, poll_timeout)) {
> +		msleep(RSU_COMPLETE_INTERVAL_MS);
> +		ret = rsu_check_complete(sec, &doorbell);
> +		if (imgr->driver_unload)
> +			return IFPGA_SEC_ERR_CANCELED;

Instead of checking for complete could you check the progress ?

hate for it to fail with 90% done.

Tom

> +	}
> +
> +	if (ret == -EAGAIN) {
> +		log_error_regs(sec, doorbell);
> +		return IFPGA_SEC_ERR_TIMEOUT;
> +	} else if (ret == -EIO) {
> +		return IFPGA_SEC_ERR_RW_ERROR;
> +	} else if (ret) {
> +		log_error_regs(sec, doorbell);
> +		return IFPGA_SEC_ERR_HW_ERROR;
> +	}
> +
> +	return IFPGA_SEC_ERR_NONE;
> +}
> +
> +static enum ifpga_sec_err m10bmc_sec_cancel(struct ifpga_sec_mgr *imgr)
> +{
> +	struct m10bmc_sec *sec = imgr->priv;
> +	u32 doorbell;
> +	int ret;
> +
> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> +	if (ret)
> +		return IFPGA_SEC_ERR_RW_ERROR;
> +
> +	if (rsu_prog(doorbell) != RSU_PROG_READY)
> +		return IFPGA_SEC_ERR_BUSY;
> +
> +	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
> +				     DRBL_HOST_STATUS,
> +				     FIELD_PREP(DRBL_HOST_STATUS,
> +						HOST_STATUS_ABORT_RSU));
> +
> +	return ret ? IFPGA_SEC_ERR_RW_ERROR : IFPGA_SEC_ERR_NONE;
> +}
> +
>  static const struct ifpga_sec_mgr_ops m10bmc_iops = {
>  	.user_flash_count = m10bmc_user_flash_count,
>  	.bmc_root_entry_hash = m10bmc_bmc_root_entry_hash,
> @@ -215,6 +509,10 @@ static const struct ifpga_sec_mgr_ops m10bmc_iops = {
>  	.bmc_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
>  	.sr_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
>  	.pr_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
> +	.prepare = m10bmc_sec_prepare,
> +	.write_blk = m10bmc_sec_write_blk,
> +	.poll_complete = m10bmc_sec_poll_complete,
> +	.cancel = m10bmc_sec_cancel,
>  };
>  
>  static int m10bmc_secure_probe(struct platform_device *pdev)

Re: [PATCH v2 1/6] mfd: intel-m10-bmc: support for MAX10 BMC Security Engine

[Lee Jones]

On Fri, 02 Oct 2020, Russ Weight wrote:

> Add macros and definitions required by the MAX10 BMC
> Security Engine driver.
> 
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> ---
> v2:
>   - These functions and macros were previously distributed among
>     the patches that needed them. They are now grouped together
>     in a single patch containing changes to the Intel MAX10 BMC
>     driver.
>   - Added DRBL_ prefix to some definitions
>   - Some address definitions were moved here from the .c files that
>     use them.
> ---
>  include/linux/mfd/intel-m10-bmc.h | 134 ++++++++++++++++++++++++++++++
>  1 file changed, 134 insertions(+)
> 
> diff --git a/include/linux/mfd/intel-m10-bmc.h b/include/linux/mfd/intel-m10-bmc.h
> index c8ef2f1654a4..880f907302eb 100644
> --- a/include/linux/mfd/intel-m10-bmc.h
> +++ b/include/linux/mfd/intel-m10-bmc.h
> @@ -13,6 +13,9 @@

>   * m10bmc_raw_read - read m10bmc register per addr
> + * m10bmc_raw_bulk_read - bulk read max10 registers per addr
> + * m10bmc_raw_bulk_write - bulk write max10 registers per addr
> + * m10bmc_raw_update_bits - update max10 register per addr
>   * m10bmc_sys_read - read m10bmc system register per offset
> + * m10bmc_sys_update_bits - update max10 system register per offset
>   */

FWIW, I *hate* abstraction for the sake of abstraction.

Please just use the Regmap API in-place instead.

-- 
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

Re: [PATCH v2 1/6] mfd: intel-m10-bmc: support for MAX10 BMC Security Engine

[Russ Weight]

On 10/7/20 12:00 AM, Lee Jones wrote:
> On Fri, 02 Oct 2020, Russ Weight wrote:
>
>> Add macros and definitions required by the MAX10 BMC
>> Security Engine driver.
>>
>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>> ---
>> v2:
>>   - These functions and macros were previously distributed among
>>     the patches that needed them. They are now grouped together
>>     in a single patch containing changes to the Intel MAX10 BMC
>>     driver.
>>   - Added DRBL_ prefix to some definitions
>>   - Some address definitions were moved here from the .c files that
>>     use them.
>> ---
>>  include/linux/mfd/intel-m10-bmc.h | 134 ++++++++++++++++++++++++++++++
>>  1 file changed, 134 insertions(+)
>>
>> diff --git a/include/linux/mfd/intel-m10-bmc.h b/include/linux/mfd/intel-m10-bmc.h
>> index c8ef2f1654a4..880f907302eb 100644
>> --- a/include/linux/mfd/intel-m10-bmc.h
>> +++ b/include/linux/mfd/intel-m10-bmc.h
>> @@ -13,6 +13,9 @@
>>   * m10bmc_raw_read - read m10bmc register per addr
>> + * m10bmc_raw_bulk_read - bulk read max10 registers per addr
>> + * m10bmc_raw_bulk_write - bulk write max10 registers per addr
>> + * m10bmc_raw_update_bits - update max10 register per addr
>>   * m10bmc_sys_read - read m10bmc system register per offset
>> + * m10bmc_sys_update_bits - update max10 system register per offset
>>   */
> FWIW, I *hate* abstraction for the sake of abstraction.
>
> Please just use the Regmap API in-place instead.
>
I was following the discussion on the Max10 BMC driver to determine which way to go:

https://marc.info/?l=linux-kernel&m=159964043207829&w=2

My understanding was that the existing function wrappers were accepted because:

(1) The functions are adding dev_err() calls that would have to be replicated
for each call if we don't create a new function.
(2) The _sys_ macros are adding a base address offset, which facilitates
sharing code between multiple devices (although only the n3000 is supported with
the current patches).

Would you prefer that we handle these on a case by case basis? And only provide
wrappers for the ones that have high usage?

- Russ

Re: [PATCH v2 1/6] mfd: intel-m10-bmc: support for MAX10 BMC Security Engine

[Russ Weight]

On 10/6/20 9:34 AM, Tom Rix wrote:
> On 10/2/20 6:24 PM, Russ Weight wrote:
>> Add macros and definitions required by the MAX10 BMC
>> Security Engine driver.
>>
>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>> ---
>> v2:
>>   - These functions and macros were previously distributed among
>>     the patches that needed them. They are now grouped together
>>     in a single patch containing changes to the Intel MAX10 BMC
>>     driver.
>>   - Added DRBL_ prefix to some definitions
>>   - Some address definitions were moved here from the .c files that
>>     use them.
>> ---
>>  include/linux/mfd/intel-m10-bmc.h | 134 ++++++++++++++++++++++++++++++
>>  1 file changed, 134 insertions(+)
>>
>> diff --git a/include/linux/mfd/intel-m10-bmc.h b/include/linux/mfd/intel-m10-bmc.h
>> index c8ef2f1654a4..880f907302eb 100644
>> --- a/include/linux/mfd/intel-m10-bmc.h
>> +++ b/include/linux/mfd/intel-m10-bmc.h
>> @@ -13,6 +13,9 @@
>>  #define M10BMC_SYS_BASE			0x300800
>>  #define M10BMC_MEM_END			0x200000fc
>>  
>> +#define M10BMC_STAGING_BASE		0x18000000
>> +#define M10BMC_STAGING_SIZE		0x3800000
> The staging size is not used, please use it in m10bmc_sec_write_blk to
>
> check the input parameter 'size'

It is used to check the input size in the prepare function:
m10bmc_sec_prepare()

        if (smgr->remaining_size > M10BMC_STAGING_SIZE)
                return FPGA_SEC_ERR_INVALID_SIZE;

- Russ

>
>> +
>>  /* Register offset of system registers */
>>  #define NIOS2_FW_VERSION		0x0
>>  #define M10BMC_TEST_REG			0x3c
>> @@ -21,6 +24,88 @@
>>  #define M10BMC_VER_PCB_INFO_MSK		GENMASK(31, 24)
>>  #define M10BMC_VER_LEGACY_INVALID	0xffffffff
>>  
>> +/* Secure update doorbell register, in system register region */
>> +#define M10BMC_DOORBELL			0x400
>> +
>> +/* Authorization Result register, in system register region */
>> +#define M10BMC_AUTH_RESULT		0x404
>> +
>> +/* Doorbell register fields */
>> +#define DRBL_RSU_REQUEST		BIT(0)
>> +#define DRBL_RSU_PROGRESS		GENMASK(7, 4)
>> +#define DRBL_HOST_STATUS		GENMASK(11, 8)
>> +#define DRBL_RSU_STATUS			GENMASK(23, 16)
>> +#define DRBL_PKVL_EEPROM_LOAD_SEC	BIT(24)
>> +#define DRBL_PKVL1_POLL_EN		BIT(25)
>> +#define DRBL_PKVL2_POLL_EN		BIT(26)
> PKVL seems like it would be n3000 specific.
>
> For this and similar it may be good to add a _N3000_ in the name.
>
>> +#define DRBL_CONFIG_SEL			BIT(28)
>> +#define DRBL_REBOOT_REQ			BIT(29)
>> +#define DRBL_REBOOT_DISABLED		BIT(30)
>> +
>> +/* Progress states */
>> +#define RSU_PROG_IDLE			0x0
>> +#define RSU_PROG_PREPARE		0x1
>> +#define RSU_PROG_READY			0x3
>> +#define RSU_PROG_AUTHENTICATING		0x4
>> +#define RSU_PROG_COPYING		0x5
>> +#define RSU_PROG_UPDATE_CANCEL		0x6
>> +#define RSU_PROG_PROGRAM_KEY_HASH	0x7
>> +#define RSU_PROG_RSU_DONE		0x8
>> +#define RSU_PROG_PKVL_PROM_DONE		0x9
>> +
>> +/* Device and error states */
>> +#define RSU_STAT_NORMAL			0x0
>> +#define RSU_STAT_TIMEOUT		0x1
>> +#define RSU_STAT_AUTH_FAIL		0x2
>> +#define RSU_STAT_COPY_FAIL		0x3
>> +#define RSU_STAT_FATAL			0x4
>> +#define RSU_STAT_PKVL_REJECT		0x5
>> +#define RSU_STAT_NON_INC		0x6
>> +#define RSU_STAT_ERASE_FAIL		0x7
>> +#define RSU_STAT_WEAROUT		0x8
>> +#define RSU_STAT_NIOS_OK		0x80
>> +#define RSU_STAT_USER_OK		0x81
>> +#define RSU_STAT_FACTORY_OK		0x82
>> +#define RSU_STAT_USER_FAIL		0x83
>> +#define RSU_STAT_FACTORY_FAIL		0x84
>> +#define RSU_STAT_NIOS_FLASH_ERR		0x85
>> +#define RSU_STAT_FPGA_FLASH_ERR		0x86
>> +
>> +#define HOST_STATUS_IDLE		0x0
>> +#define HOST_STATUS_WRITE_DONE		0x1
>> +#define HOST_STATUS_ABORT_RSU		0x2
>> +
>> +#define rsu_prog(doorbell)	FIELD_GET(DRBL_RSU_PROGRESS, doorbell)
>> +#define rsu_stat(doorbell)	FIELD_GET(DRBL_RSU_STATUS, doorbell)
>> +
>> +/* interval 100ms and timeout 5s */
>> +#define NIOS_HANDSHAKE_INTERVAL_US	(100 * 1000)
>> +#define NIOS_HANDSHAKE_TIMEOUT_US	(5 * 1000 * 1000)
>> +
>> +/* RSU PREP Timeout (2 minutes) to erase flash staging area */
>> +#define RSU_PREP_INTERVAL_MS		100
>> +#define RSU_PREP_TIMEOUT_MS		(2 * 60 * 1000)
>> +
>> +/* RSU Complete Timeout (40 minutes) for full flash update */
>> +#define RSU_COMPLETE_INTERVAL_MS	1000
>> +#define RSU_COMPLETE_TIMEOUT_MS		(40 * 60 * 1000)
> minutes is an unusual timeout unit.
>
> It may be worthwhile to spell out MINUTES to avoid confusing with micro seconds.
>
> Tom
>
>> +
>> +/* Addresses for security related data in FLASH */
>> +#define BMC_REH_ADDR	0x17ffc004
>> +#define BMC_PROG_ADDR	0x17ffc000
>> +#define BMC_PROG_MAGIC	0x5746
>> +
>> +#define SR_REH_ADDR	0x17ffd004
>> +#define SR_PROG_ADDR	0x17ffd000
>> +#define SR_PROG_MAGIC	0x5253
>> +
>> +#define PR_REH_ADDR	0x17ffe004
>> +#define PR_PROG_ADDR	0x17ffe000
>> +#define PR_PROG_MAGIC	0x5250
>> +
>> +/* Address of inverted bit vector containing user the image FLASH count */
>> +#define USER_FLASH_COUNT 0x17ffb000
>> +
>>  /**
>>   * struct intel_m10bmc - Intel MAX 10 BMC parent driver data structure
>>   * @dev: this device
>> @@ -35,7 +120,11 @@ struct intel_m10bmc {
>>   * register access helper functions.
>>   *
>>   * m10bmc_raw_read - read m10bmc register per addr
>> + * m10bmc_raw_bulk_read - bulk read max10 registers per addr
>> + * m10bmc_raw_bulk_write - bulk write max10 registers per addr
>> + * m10bmc_raw_update_bits - update max10 register per addr
>>   * m10bmc_sys_read - read m10bmc system register per offset
>> + * m10bmc_sys_update_bits - update max10 system register per offset
>>   */
>>  static inline int
>>  m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>> @@ -51,6 +140,48 @@ m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>>  	return ret;
>>  }
>>  
>> +static inline int
>> +m10bmc_raw_bulk_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>> +		     void *val, size_t cnt)
>> +{
>> +	int ret;
>> +
>> +	ret = regmap_bulk_read(m10bmc->regmap, addr, val, cnt);
>> +	if (ret)
>> +		dev_err(m10bmc->dev, "fail to read raw reg %x cnt %zx: %d\n",
>> +			addr, cnt, ret);
>> +
>> +	return ret;
>> +}
>> +
>> +static inline int
>> +m10bmc_raw_bulk_write(struct intel_m10bmc *m10bmc, unsigned int addr,
>> +		      void *val, size_t cnt)
>> +{
>> +	int ret;
>> +
>> +	ret = regmap_bulk_write(m10bmc->regmap, addr, val, cnt);
>> +	if (ret)
>> +		dev_err(m10bmc->dev, "fail to write raw reg %x cnt %zx: %d\n",
>> +			addr, cnt, ret);
>> +
>> +	return ret;
>> +}
>> +
>> +static inline int
>> +m10bmc_raw_update_bits(struct intel_m10bmc *m10bmc, unsigned int addr,
>> +		       unsigned int msk, unsigned int val)
>> +{
>> +	int ret;
>> +
>> +	ret = regmap_update_bits(m10bmc->regmap, addr, msk, val);
>> +	if (ret)
>> +		dev_err(m10bmc->dev, "fail to update raw reg %x: %d\n",
>> +			addr, ret);
>> +
>> +	return ret;
>> +}
>> +
>>  /*
>>   * The base of the system registers could be configured by HW developers, and
>>   * in HW SPEC, the base is not added to the addresses of the system registers.
>> @@ -62,4 +193,7 @@ m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>>  #define m10bmc_sys_read(m10bmc, offset, val) \
>>  	m10bmc_raw_read(m10bmc, M10BMC_SYS_BASE + (offset), val)
>>  
>> +#define m10bmc_sys_update_bits(m10bmc, offset, msk, val) \
>> +	m10bmc_raw_update_bits(m10bmc, M10BMC_SYS_BASE + (offset), msk, val)
>> +
>>  #endif /* __MFD_INTEL_M10_BMC_H */

Re: [PATCH v2 1/6] mfd: intel-m10-bmc: support for MAX10 BMC Security Engine

[Lee Jones]

On Wed, 07 Oct 2020, Russ Weight wrote:
> On 10/7/20 12:00 AM, Lee Jones wrote:
> > On Fri, 02 Oct 2020, Russ Weight wrote:
> >
> >> Add macros and definitions required by the MAX10 BMC
> >> Security Engine driver.
> >>
> >> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> >> ---
> >> v2:
> >>   - These functions and macros were previously distributed among
> >>     the patches that needed them. They are now grouped together
> >>     in a single patch containing changes to the Intel MAX10 BMC
> >>     driver.
> >>   - Added DRBL_ prefix to some definitions
> >>   - Some address definitions were moved here from the .c files that
> >>     use them.
> >> ---
> >>  include/linux/mfd/intel-m10-bmc.h | 134 ++++++++++++++++++++++++++++++
> >>  1 file changed, 134 insertions(+)
> >>
> >> diff --git a/include/linux/mfd/intel-m10-bmc.h b/include/linux/mfd/intel-m10-bmc.h
> >> index c8ef2f1654a4..880f907302eb 100644
> >> --- a/include/linux/mfd/intel-m10-bmc.h
> >> +++ b/include/linux/mfd/intel-m10-bmc.h
> >> @@ -13,6 +13,9 @@
> >>   * m10bmc_raw_read - read m10bmc register per addr
> >> + * m10bmc_raw_bulk_read - bulk read max10 registers per addr
> >> + * m10bmc_raw_bulk_write - bulk write max10 registers per addr
> >> + * m10bmc_raw_update_bits - update max10 register per addr
> >>   * m10bmc_sys_read - read m10bmc system register per offset
> >> + * m10bmc_sys_update_bits - update max10 system register per offset
> >>   */
> > FWIW, I *hate* abstraction for the sake of abstraction.
> >
> > Please just use the Regmap API in-place instead.
> >
> I was following the discussion on the Max10 BMC driver to determine which way to go:
> 
> https://marc.info/?l=linux-kernel&m=159964043207829&w=2
> 
> My understanding was that the existing function wrappers were accepted because:
> 
> (1) The functions are adding dev_err() calls that would have to be replicated
> for each call if we don't create a new function.
> (2) The _sys_ macros are adding a base address offset, which facilitates
> sharing code between multiple devices (although only the n3000 is supported with
> the current patches).
> 
> Would you prefer that we handle these on a case by case basis? And only provide
> wrappers for the ones that have high usage?

Yes please.  As I said in the link above, avoid them it at all
possible.  If you and every other user needs to place an error message
after every single call, consider moving the error message into the
API itself.

There are 10's if not 100's of different API calls where users
normally place error messages following them.  To abstract them all
for each platform would be insane.

-- 
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

Re: [PATCH v2 2/6] fpga: m10bmc-sec: create max10 bmc security engine

[Russ Weight]

On 10/6/20 10:31 AM, Tom Rix wrote:
> On 10/2/20 6:24 PM, Russ Weight wrote:
>> Create a platform driver that can be invoked as a sub
>> driver for the Intel MAX10 BMC in order to support
>> secure updates. This sub-driver will invoke an
>> instance of the Intel FPGA Security Manager class driver
>> in order to expose sysfs interfaces for managing and
>> monitoring secure updates to FPGA and BMC images.
>>
>> This patch creates the MAX10 BMC Security Engine driver and
>> provides support for displaying the current root entry hashes
>> for the FPGA static region, the FPGA PR region, and the MAX10
>> BMC.
>>
>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>> ---
>> v2:
>>   - Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
>>   - Switched to GENMASK(31, 16) for a couple of mask definitions.
>>   - Moved MAX10 BMC address and function definitions to a separate
>>     patch.
>>   - Replaced small function-creation macros with explicit function
>>     declarations.
>>   - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
>>   - Adapted to changes in the Intel FPGA Security Manager by splitting
>>     the single call to ifpga_sec_mgr_register() into two function
>>     calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
>> ---
>>  MAINTAINERS                         |   1 +
>>  drivers/fpga/Kconfig                |  11 ++
>>  drivers/fpga/Makefile               |   3 +
>>  drivers/fpga/intel-m10-bmc-secure.c | 165 ++++++++++++++++++++++++++++
>>  4 files changed, 180 insertions(+)
>>  create mode 100644 drivers/fpga/intel-m10-bmc-secure.c
>>
>> diff --git a/MAINTAINERS b/MAINTAINERS
>> index 0bb5ef309dec..c359d0214980 100644
>> --- a/MAINTAINERS
>> +++ b/MAINTAINERS
>> @@ -6898,6 +6898,7 @@ S:	Maintained
>>  F:	Documentation/ABI/testing/sysfs-class-ifpga-sec-mgr
>>  F:	Documentation/fpga/ifpga-sec-mgr.rst
>>  F:	drivers/fpga/ifpga-sec-mgr.c
>> +F:	drivers/fpga/intel-m10-bmc-secure.c
>>  F:	include/linux/fpga/ifpga-sec-mgr.h
>>  
>>  FPU EMULATOR
>> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
>> index c534cc80f398..2380d36b08c7 100644
>> --- a/drivers/fpga/Kconfig
>> +++ b/drivers/fpga/Kconfig
>> @@ -235,4 +235,15 @@ config IFPGA_SEC_MGR
>>  	  region and for the BMC. Select this option to enable
>>  	  updates for secure FPGA devices.
>>  
>> +config IFPGA_M10_BMC_SECURE
>> +        tristate "Intel MAX10 BMC security engine"
>> +	depends on MFD_INTEL_M10_BMC && IFPGA_SEC_MGR
>> +        help
>> +          Secure update support for the Intel MAX10 board management
>> +	  controller.
>> +
>> +	  This is a subdriver of the Intel MAX10 board management controller
>> +	  (BMC) and provides support for secure updates for the BMC image,
>> +	  the FPGA image, the Root Entry Hashes, etc.
>> +
>>  endif # FPGA
>> diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
>> index 6f706590e209..8e702689cdda 100644
>> --- a/drivers/fpga/Makefile
>> +++ b/drivers/fpga/Makefile
>> @@ -24,6 +24,9 @@ obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT)    += altera-pr-ip-core-plat.o
>>  # Intel FPGA Security Manager Framework
>>  obj-$(CONFIG_IFPGA_SEC_MGR)		+= ifpga-sec-mgr.o
>>  
>> +# Intel Security Manager Drivers
>> +obj-$(CONFIG_IFPGA_M10_BMC_SECURE)	+= intel-m10-bmc-secure.o
>> +
>>  # FPGA Bridge Drivers
>>  obj-$(CONFIG_FPGA_BRIDGE)		+= fpga-bridge.o
>>  obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE)	+= altera-hps2fpga.o altera-fpga2sdram.o
>> diff --git a/drivers/fpga/intel-m10-bmc-secure.c b/drivers/fpga/intel-m10-bmc-secure.c
>> new file mode 100644
>> index 000000000000..df8ebda9a9cb
>> --- /dev/null
>> +++ b/drivers/fpga/intel-m10-bmc-secure.c
>> @@ -0,0 +1,165 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/*
>> + * Intel Max10 Board Management Controller Security Engine Driver
>> + *
>> + * Copyright (C) 2019-2020 Intel Corporation. All rights reserved.
>> + *
>> + */
>> +#include <linux/bitfield.h>
>> +#include <linux/device.h>
>> +#include <linux/fpga/ifpga-sec-mgr.h>
>> +#include <linux/mfd/intel-m10-bmc.h>
>> +#include <linux/module.h>
>> +#include <linux/platform_device.h>
>> +#include <linux/vmalloc.h>
>> +
>> +struct m10bmc_sec {
>> +	struct device *dev;
>> +	struct intel_m10bmc *m10bmc;
>> +	struct ifpga_sec_mgr *imgr;
>> +};
>> +
>> +#define REH_SHA256_SIZE		32
>> +#define REH_SHA384_SIZE		48
>> +#define REH_MAGIC		GENMASK(15, 0)
>> +#define REH_SHA_NUM_BYTES	GENMASK(31, 16)
>> +
>> +static int m10bmc_reh_size(struct ifpga_sec_mgr *imgr,
>> +			   u32 exp_magic, u32 prog_addr)
>> +{
>> +	struct m10bmc_sec *sec = imgr->priv;
>> +	int sha_num_bytes, ret;
>> +	u32 magic;
>> +
>> +	ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
>> +	if (ret)
>> +		return ret;
>> +
>> +	dev_dbg(sec->dev, "%s magic 0x%08x\n", __func__, magic);
>> +
>> +	/*
>> +	 * If no magic number, then no REH is programmed, so
>> +	 * the REH size is zero.
>> +	 */
>> +	if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
>> +		return 0;
>> +
>> +	sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
>> +	if (sha_num_bytes != REH_SHA256_SIZE &&
>> +	    sha_num_bytes != REH_SHA384_SIZE)   {
>> +		dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
>> +			sha_num_bytes);
>> +		return -EINVAL;
>> +	}
>> +
>> +	return sha_num_bytes;
>> +}
>> +
>> +static int m10bmc_bmc_reh_size(struct ifpga_sec_mgr *imgr)
> For naming consistency, the _reh_ vs _root_entry_hash_
>
> pick one.
>
> If you pick _reh_ put a comment at the top since reh isn't a familiar acronym (at least to me)
OK - I'll go with reh and put a comment at the beginning of the REH support.

>
>> +{
>> +	return m10bmc_reh_size(imgr, BMC_PROG_MAGIC, BMC_PROG_ADDR);
>> +}
>> +
>> +static int m10bmc_sr_reh_size(struct ifpga_sec_mgr *imgr)
>> +{
>> +	return m10bmc_reh_size(imgr, SR_PROG_MAGIC, SR_PROG_ADDR);
>> +}
>> +
>> +static int m10bmc_pr_reh_size(struct ifpga_sec_mgr *imgr)
>> +{
>> +	return m10bmc_reh_size(imgr, PR_PROG_MAGIC, PR_PROG_ADDR);
>> +}
>> +
>> +static int m10bmc_root_entry_hash(struct ifpga_sec_mgr *imgr,
>> +				  u32 hash_addr, u8 *hash,
>> +				  unsigned int size)
>> +{
>> +	struct m10bmc_sec *sec = imgr->priv;
>> +	unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
>> +	int ret;
>> +
>> +	ret = m10bmc_raw_bulk_read(sec->m10bmc, hash_addr,
>> +				   hash, size / stride);
>> +	if (ret)
>> +		dev_err(sec->dev, "bulk_read of 0x%x failed %d",
>> +			hash_addr, ret);
>> +
>> +	return ret;
>> +}
>> +
>> +static int m10bmc_bmc_root_entry_hash(struct ifpga_sec_mgr *imgr,
>> +				      u8 *hash, unsigned int size)
>> +{
>> +	return m10bmc_root_entry_hash(imgr, BMC_REH_ADDR, hash, size);
>> +}
>> +
>> +static int m10bmc_sr_root_entry_hash(struct ifpga_sec_mgr *imgr,
>> +				     u8 *hash, unsigned int size)
>> +{
>> +	return m10bmc_root_entry_hash(imgr, SR_REH_ADDR, hash, size);
>> +}
>> +
>> +static int m10bmc_pr_root_entry_hash(struct ifpga_sec_mgr *imgr,
>> +				     u8 *hash, unsigned int size)
>> +{
>> +	return m10bmc_root_entry_hash(imgr, PR_REH_ADDR, hash, size);
>> +}
>> +
>> +static const struct ifpga_sec_mgr_ops m10bmc_iops = {
>> +	.bmc_root_entry_hash = m10bmc_bmc_root_entry_hash,
>> +	.sr_root_entry_hash = m10bmc_sr_root_entry_hash,
>> +	.pr_root_entry_hash = m10bmc_pr_root_entry_hash,
>> +	.bmc_reh_size = m10bmc_bmc_reh_size,
>> +	.sr_reh_size = m10bmc_sr_reh_size,
>> +	.pr_reh_size = m10bmc_pr_reh_size,
>> +};
>> +
>> +static int m10bmc_secure_probe(struct platform_device *pdev)
>> +{
>> +	struct ifpga_sec_mgr *imgr;
>> +	struct m10bmc_sec *sec;
>> +	int ret;
>> +
>> +	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
>> +	if (!sec)
>> +		return -ENOMEM;
>> +
>> +	sec->dev = &pdev->dev;
>> +	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
>> +	dev_set_drvdata(&pdev->dev, sec);
>> +
>> +	imgr = devm_ifpga_sec_mgr_create(sec->dev, "Max10 BMC Security Manager",
>> +					 &m10bmc_iops, sec);
>> +	if (!imgr) {
>> +		dev_err(sec->dev,
>> +			"Security manager failed to start: %d\n", ret);
>> +		return -ENOMEM;
>> +	}
>> +
>> +	sec->imgr = imgr;
>> +
>> +	return ifpga_sec_mgr_register(imgr);
>> +}
>> +
>> +static int m10bmc_secure_remove(struct platform_device *pdev)
>> +{
>> +	struct m10bmc_sec *sec = dev_get_drvdata(&pdev->dev);
>> +
>> +	ifpga_sec_mgr_unregister(sec->imgr);
>> +
>> +	return 0;
>> +}
>> +
>> +static struct platform_driver intel_m10bmc_secure_driver = {
>> +	.probe = m10bmc_secure_probe,
>> +	.remove = m10bmc_secure_remove,
>> +	.driver = {
>> +		.name = "n3000bmc-secure",
>> +	},
>> +};
>> +module_platform_driver(intel_m10bmc_secure_driver);
>> +
>> +MODULE_ALIAS("platform:n3000bmc-secure");
>> +MODULE_AUTHOR("Intel Corporation");
>> +MODULE_DESCRIPTION("Intel MAX10 BMC secure engine");
> Maybe "... secure update"
Yeah - that sounds better.

Thanks,
- Russ
>
> Tom
>
>> +MODULE_LICENSE("GPL v2");

Re: [PATCH v2 1/6] mfd: intel-m10-bmc: support for MAX10 BMC Security Engine

[Russ Weight]

I just realized that I missed a few questions on my first reply.
Please see my responses below.

On 10/7/20 5:52 PM, Russ Weight wrote:
>
> On 10/6/20 9:34 AM, Tom Rix wrote:
>> On 10/2/20 6:24 PM, Russ Weight wrote:
>>> Add macros and definitions required by the MAX10 BMC
>>> Security Engine driver.
>>>
>>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>>> ---
>>> v2:
>>>   - These functions and macros were previously distributed among
>>>     the patches that needed them. They are now grouped together
>>>     in a single patch containing changes to the Intel MAX10 BMC
>>>     driver.
>>>   - Added DRBL_ prefix to some definitions
>>>   - Some address definitions were moved here from the .c files that
>>>     use them.
>>> ---
>>>  include/linux/mfd/intel-m10-bmc.h | 134 ++++++++++++++++++++++++++++++
>>>  1 file changed, 134 insertions(+)
>>>
>>> diff --git a/include/linux/mfd/intel-m10-bmc.h b/include/linux/mfd/intel-m10-bmc.h
>>> index c8ef2f1654a4..880f907302eb 100644
>>> --- a/include/linux/mfd/intel-m10-bmc.h
>>> +++ b/include/linux/mfd/intel-m10-bmc.h
>>> @@ -13,6 +13,9 @@
>>>  #define M10BMC_SYS_BASE			0x300800
>>>  #define M10BMC_MEM_END			0x200000fc
>>>  
>>> +#define M10BMC_STAGING_BASE		0x18000000
>>> +#define M10BMC_STAGING_SIZE		0x3800000
>> The staging size is not used, please use it in m10bmc_sec_write_blk to
>>
>> check the input parameter 'size'
> It is used to check the input size in the prepare function:
> m10bmc_sec_prepare()
>
>         if (smgr->remaining_size > M10BMC_STAGING_SIZE)
>                 return FPGA_SEC_ERR_INVALID_SIZE;
>
> - Russ
>
>>> +
>>>  /* Register offset of system registers */
>>>  #define NIOS2_FW_VERSION		0x0
>>>  #define M10BMC_TEST_REG			0x3c
>>> @@ -21,6 +24,88 @@
>>>  #define M10BMC_VER_PCB_INFO_MSK		GENMASK(31, 24)
>>>  #define M10BMC_VER_LEGACY_INVALID	0xffffffff
>>>  
>>> +/* Secure update doorbell register, in system register region */
>>> +#define M10BMC_DOORBELL			0x400
>>> +
>>> +/* Authorization Result register, in system register region */
>>> +#define M10BMC_AUTH_RESULT		0x404
>>> +
>>> +/* Doorbell register fields */
>>> +#define DRBL_RSU_REQUEST		BIT(0)
>>> +#define DRBL_RSU_PROGRESS		GENMASK(7, 4)
>>> +#define DRBL_HOST_STATUS		GENMASK(11, 8)
>>> +#define DRBL_RSU_STATUS			GENMASK(23, 16)
>>> +#define DRBL_PKVL_EEPROM_LOAD_SEC	BIT(24)
>>> +#define DRBL_PKVL1_POLL_EN		BIT(25)
>>> +#define DRBL_PKVL2_POLL_EN		BIT(26)
>> PKVL seems like it would be n3000 specific.
>>
>> For this and similar it may be good to add a _N3000_ in the name.
I'm hoping Yilun and Hao might chime in here. We have substituted PKVL
for Retimer in some places in the code.
>>
>>> +#define DRBL_CONFIG_SEL			BIT(28)
>>> +#define DRBL_REBOOT_REQ			BIT(29)
>>> +#define DRBL_REBOOT_DISABLED		BIT(30)
>>> +
>>> +/* Progress states */
>>> +#define RSU_PROG_IDLE			0x0
>>> +#define RSU_PROG_PREPARE		0x1
>>> +#define RSU_PROG_READY			0x3
>>> +#define RSU_PROG_AUTHENTICATING		0x4
>>> +#define RSU_PROG_COPYING		0x5
>>> +#define RSU_PROG_UPDATE_CANCEL		0x6
>>> +#define RSU_PROG_PROGRAM_KEY_HASH	0x7
>>> +#define RSU_PROG_RSU_DONE		0x8
>>> +#define RSU_PROG_PKVL_PROM_DONE		0x9
>>> +
>>> +/* Device and error states */
>>> +#define RSU_STAT_NORMAL			0x0
>>> +#define RSU_STAT_TIMEOUT		0x1
>>> +#define RSU_STAT_AUTH_FAIL		0x2
>>> +#define RSU_STAT_COPY_FAIL		0x3
>>> +#define RSU_STAT_FATAL			0x4
>>> +#define RSU_STAT_PKVL_REJECT		0x5
>>> +#define RSU_STAT_NON_INC		0x6
>>> +#define RSU_STAT_ERASE_FAIL		0x7
>>> +#define RSU_STAT_WEAROUT		0x8
>>> +#define RSU_STAT_NIOS_OK		0x80
>>> +#define RSU_STAT_USER_OK		0x81
>>> +#define RSU_STAT_FACTORY_OK		0x82
>>> +#define RSU_STAT_USER_FAIL		0x83
>>> +#define RSU_STAT_FACTORY_FAIL		0x84
>>> +#define RSU_STAT_NIOS_FLASH_ERR		0x85
>>> +#define RSU_STAT_FPGA_FLASH_ERR		0x86
>>> +
>>> +#define HOST_STATUS_IDLE		0x0
>>> +#define HOST_STATUS_WRITE_DONE		0x1
>>> +#define HOST_STATUS_ABORT_RSU		0x2
>>> +
>>> +#define rsu_prog(doorbell)	FIELD_GET(DRBL_RSU_PROGRESS, doorbell)
>>> +#define rsu_stat(doorbell)	FIELD_GET(DRBL_RSU_STATUS, doorbell)
>>> +
>>> +/* interval 100ms and timeout 5s */
>>> +#define NIOS_HANDSHAKE_INTERVAL_US	(100 * 1000)
>>> +#define NIOS_HANDSHAKE_TIMEOUT_US	(5 * 1000 * 1000)
>>> +
>>> +/* RSU PREP Timeout (2 minutes) to erase flash staging area */
>>> +#define RSU_PREP_INTERVAL_MS		100
>>> +#define RSU_PREP_TIMEOUT_MS		(2 * 60 * 1000)
>>> +
>>> +/* RSU Complete Timeout (40 minutes) for full flash update */
>>> +#define RSU_COMPLETE_INTERVAL_MS	1000
>>> +#define RSU_COMPLETE_TIMEOUT_MS		(40 * 60 * 1000)
>> minutes is an unusual timeout unit.
>>
>> It may be worthwhile to spell out MINUTES to avoid confusing with micro seconds.
The _MS at the end of the constants means milliseconds. That is pretty
standard, isn't it? Although the wait is 40 minutes, the constant is a
millisecond count that corresponds to 40 minutes. I expanded the definition
to make things more clear: 40 (minutes) * 60 (seconds) * 1000 milliseconds =
(40 minutes expressed in milliseconds).
>> Tom
>>
>>> +
>>> +/* Addresses for security related data in FLASH */
>>> +#define BMC_REH_ADDR	0x17ffc004
>>> +#define BMC_PROG_ADDR	0x17ffc000
>>> +#define BMC_PROG_MAGIC	0x5746
>>> +
>>> +#define SR_REH_ADDR	0x17ffd004
>>> +#define SR_PROG_ADDR	0x17ffd000
>>> +#define SR_PROG_MAGIC	0x5253
>>> +
>>> +#define PR_REH_ADDR	0x17ffe004
>>> +#define PR_PROG_ADDR	0x17ffe000
>>> +#define PR_PROG_MAGIC	0x5250
>>> +
>>> +/* Address of inverted bit vector containing user the image FLASH count */
>>> +#define USER_FLASH_COUNT 0x17ffb000
>>> +
>>>  /**
>>>   * struct intel_m10bmc - Intel MAX 10 BMC parent driver data structure
>>>   * @dev: this device
>>> @@ -35,7 +120,11 @@ struct intel_m10bmc {
>>>   * register access helper functions.
>>>   *
>>>   * m10bmc_raw_read - read m10bmc register per addr
>>> + * m10bmc_raw_bulk_read - bulk read max10 registers per addr
>>> + * m10bmc_raw_bulk_write - bulk write max10 registers per addr
>>> + * m10bmc_raw_update_bits - update max10 register per addr
>>>   * m10bmc_sys_read - read m10bmc system register per offset
>>> + * m10bmc_sys_update_bits - update max10 system register per offset
>>>   */
>>>  static inline int
>>>  m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>>> @@ -51,6 +140,48 @@ m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>>>  	return ret;
>>>  }
>>>  
>>> +static inline int
>>> +m10bmc_raw_bulk_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>>> +		     void *val, size_t cnt)
>>> +{
>>> +	int ret;
>>> +
>>> +	ret = regmap_bulk_read(m10bmc->regmap, addr, val, cnt);
>>> +	if (ret)
>>> +		dev_err(m10bmc->dev, "fail to read raw reg %x cnt %zx: %d\n",
>>> +			addr, cnt, ret);
>>> +
>>> +	return ret;
>>> +}
>>> +
>>> +static inline int
>>> +m10bmc_raw_bulk_write(struct intel_m10bmc *m10bmc, unsigned int addr,
>>> +		      void *val, size_t cnt)
>>> +{
>>> +	int ret;
>>> +
>>> +	ret = regmap_bulk_write(m10bmc->regmap, addr, val, cnt);
>>> +	if (ret)
>>> +		dev_err(m10bmc->dev, "fail to write raw reg %x cnt %zx: %d\n",
>>> +			addr, cnt, ret);
>>> +
>>> +	return ret;
>>> +}
>>> +
>>> +static inline int
>>> +m10bmc_raw_update_bits(struct intel_m10bmc *m10bmc, unsigned int addr,
>>> +		       unsigned int msk, unsigned int val)
>>> +{
>>> +	int ret;
>>> +
>>> +	ret = regmap_update_bits(m10bmc->regmap, addr, msk, val);
>>> +	if (ret)
>>> +		dev_err(m10bmc->dev, "fail to update raw reg %x: %d\n",
>>> +			addr, ret);
>>> +
>>> +	return ret;
>>> +}
>>> +
>>>  /*
>>>   * The base of the system registers could be configured by HW developers, and
>>>   * in HW SPEC, the base is not added to the addresses of the system registers.
>>> @@ -62,4 +193,7 @@ m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>>>  #define m10bmc_sys_read(m10bmc, offset, val) \
>>>  	m10bmc_raw_read(m10bmc, M10BMC_SYS_BASE + (offset), val)
>>>  
>>> +#define m10bmc_sys_update_bits(m10bmc, offset, msk, val) \
>>> +	m10bmc_raw_update_bits(m10bmc, M10BMC_SYS_BASE + (offset), msk, val)
>>> +
>>>  #endif /* __MFD_INTEL_M10_BMC_H */

Re: [PATCH v2 5/6] fpga: m10bmc-sec: add max10 secure update functions

[Russ Weight]

On 10/6/20 12:08 PM, Tom Rix wrote:
> On 10/2/20 6:24 PM, Russ Weight wrote:
>> Extend the MAX10 BMC Security Engine driver to include
>> the functions that enable secure updates of BMC images,
>> FPGA images, etc.
>>
>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>> ---
>> v2:
>>   - Reworked the rsu_start_done() function to make it more readable
>>   - Reworked while-loop condition/content in rsu_prog_ready()
>>   - Minor code cleanup per review comments
>>   - Added a comment to the m10bmc_sec_poll_complete() function to
>>     explain the context (could take 30+ minutes to complete).
>>   - Added m10bmc_ prefix to functions in m10bmc_iops structure
>>   - Moved MAX10 BMC address and function definitions to a separate
>>     patch.
>> ---
>>  drivers/fpga/intel-m10-bmc-secure.c | 298 ++++++++++++++++++++++++++++
>>  1 file changed, 298 insertions(+)
>>
>> diff --git a/drivers/fpga/intel-m10-bmc-secure.c b/drivers/fpga/intel-m10-bmc-secure.c
>> index 5bb45499b332..a9617c5b3845 100644
>> --- a/drivers/fpga/intel-m10-bmc-secure.c
>> +++ b/drivers/fpga/intel-m10-bmc-secure.c
>> @@ -201,6 +201,300 @@ static int m10bmc_pr_canceled_csks(struct ifpga_sec_mgr *imgr,
>>  			      csk_map, nbits);
>>  }
>>  
>> +static void log_error_regs(struct m10bmc_sec *sec, u32 doorbell)
>> +{
>> +	u32 auth_result;
>> +
>> +	dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
>> +
>> +	if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
>> +		dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
>> +}
>> +
>> +static enum ifpga_sec_err rsu_check_idle(struct m10bmc_sec *sec)
>> +{
>> +	u32 doorbell;
>> +	int ret;
>> +
>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>> +	if (ret)
>> +		return IFPGA_SEC_ERR_RW_ERROR;
>> +
>> +	if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
>> +	    rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
>> +		log_error_regs(sec, doorbell);
>> +		return IFPGA_SEC_ERR_BUSY;
>> +	}
>> +
>> +	return IFPGA_SEC_ERR_NONE;
>> +}
>> +
>> +static inline bool rsu_start_done(u32 doorbell)
>> +{
>> +	u32 status, progress;
>> +
>> +	if (doorbell & DRBL_RSU_REQUEST)
>> +		return false;
>> +
>> +	status = rsu_stat(doorbell);
>> +	if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
>> +		return true;
>> +
>> +	progress = rsu_prog(doorbell);
>> +	if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
>> +		return true;
>> +
>> +	return false;
>> +}
>> +
>> +static enum ifpga_sec_err rsu_update_init(struct m10bmc_sec *sec)
>> +{
>> +	u32 doorbell, status;
>> +	int ret;
>> +
>> +	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
>> +				     DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
>> +				     DRBL_RSU_REQUEST |
>> +				     FIELD_PREP(DRBL_HOST_STATUS,
>> +						HOST_STATUS_IDLE));
>> +	if (ret)
>> +		return IFPGA_SEC_ERR_RW_ERROR;
>> +
>> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
>> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
>> +				       doorbell,
>> +				       rsu_start_done(doorbell),
>> +				       NIOS_HANDSHAKE_INTERVAL_US,
>> +				       NIOS_HANDSHAKE_TIMEOUT_US);
>> +
>> +	if (ret == -ETIMEDOUT) {
>> +		log_error_regs(sec, doorbell);
>> +		return IFPGA_SEC_ERR_TIMEOUT;
>> +	} else if (ret) {
>> +		return IFPGA_SEC_ERR_RW_ERROR;
>> +	}
>> +
>> +	status = rsu_stat(doorbell);
>> +	if (status == RSU_STAT_WEAROUT) {
>> +		dev_warn(sec->dev, "Excessive flash update count detected\n");
> Device is permanently failing, dev_err or higher is more appropriate than dev_warn.
>
> warn once to limit noisy logs.
This is not a permanent/hard failure. When the flash count (for the staging area)
exceeds 1000, a 30 second delay is imposed on subsequent flashes. When the count
hits 2000, the delay goes to 60 seconds.

Also, flash events shouldn't that often, so I don't think they are going to create
a lot of noise in the logs.

I think this is OK as is?

>
>> +		return IFPGA_SEC_ERR_WEAROUT;
>> +	} else if (status == RSU_STAT_ERASE_FAIL) {
>> +		log_error_regs(sec, doorbell);
>> +		return IFPGA_SEC_ERR_HW_ERROR;
>> +	}
>> +
>> +	return IFPGA_SEC_ERR_NONE;
>> +}
>> +
>> +static enum ifpga_sec_err (struct m10bmc_sec *sec)
>> +{
>> +	unsigned long poll_timeout;
>> +	u32 doorbell, progress;
>> +	int ret;
>> +
>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>> +	if (ret)
>> +		return IFPGA_SEC_ERR_RW_ERROR;
>> +
>> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
>> +	while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
>> +		msleep(RSU_PREP_INTERVAL_MS);
>> +		if (time_after(jiffies, poll_timeout))
>> +			break;
>> +
>> +		ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>> +		if (ret)
>> +			return IFPGA_SEC_ERR_RW_ERROR;
>> +	}
>> +
>> +	progress = rsu_prog(doorbell);
>> +	if (progress == RSU_PROG_PREPARE) {
>> +		log_error_regs(sec, doorbell);
>> +		return IFPGA_SEC_ERR_TIMEOUT;
>> +	} else if (progress != RSU_PROG_READY) {
>> +		log_error_regs(sec, doorbell);
>> +		return IFPGA_SEC_ERR_HW_ERROR;
>> +	}
>> +
>> +	return IFPGA_SEC_ERR_NONE;
>> +}
>> +
>> +static enum ifpga_sec_err rsu_send_data(struct m10bmc_sec *sec)
>> +{
>> +	u32 doorbell;
>> +	int ret;
>> +
>> +	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
>> +				     DRBL_HOST_STATUS,
>> +				     FIELD_PREP(DRBL_HOST_STATUS,
>> +						HOST_STATUS_WRITE_DONE));
>> +	if (ret)
>> +		return IFPGA_SEC_ERR_RW_ERROR;
>> +
>> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
>> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
>> +				       doorbell,
>> +				       rsu_prog(doorbell) != RSU_PROG_READY,
>> +				       NIOS_HANDSHAKE_INTERVAL_US,
>> +				       NIOS_HANDSHAKE_TIMEOUT_US);
>> +
>> +	if (ret == -ETIMEDOUT) {
>> +		log_error_regs(sec, doorbell);
>> +		return IFPGA_SEC_ERR_TIMEOUT;
>> +	} else if (ret) {
>> +		return IFPGA_SEC_ERR_RW_ERROR;
>> +	}
>> +
>> +	switch (rsu_stat(doorbell)) {
>> +	case RSU_STAT_NORMAL:
>> +	case RSU_STAT_NIOS_OK:
>> +	case RSU_STAT_USER_OK:
>> +	case RSU_STAT_FACTORY_OK:
>> +		break;
>> +	default:
>> +		log_error_regs(sec, doorbell);
>> +		return IFPGA_SEC_ERR_HW_ERROR;
>> +	}
> This and similar below..
>
> switch can be converted to
>
> if (!rsu_stat(doorbell) & (RSU_STAT_NORMAL | ... ))
>
>   fail

These are not bit-flags. The rsu_stat() macro extracts an 8-bit field from
the doorbell register. The current supported values run from 0 to 9.
To do this with if-statements would require something like this:

status = rsu_stat(doorbell);

if ((status != RSU_STAT_NORMAL) && (status != RSU_STAT_NIOS_OK) && ... To me, the switch statement seems cleaner, but I'm willing to change it if you think the if statements are better.

>> +
>> +	return IFPGA_SEC_ERR_NONE;
>> +}
>> +
>> +static int rsu_check_complete(struct m10bmc_sec *sec, u32 *doorbell)
>> +{
>> +	if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
>> +		return -EIO;
>> +
>> +	switch (rsu_stat(*doorbell)) {
>> +	case RSU_STAT_NORMAL:
>> +	case RSU_STAT_NIOS_OK:
>> +	case RSU_STAT_USER_OK:
>> +	case RSU_STAT_FACTORY_OK:
>> +	case RSU_STAT_WEAROUT:
>> +		break;
>> +	default:
>> +		return -EINVAL;
>> +	}
>> +
>> +	switch (rsu_prog(*doorbell)) {
>> +	case RSU_PROG_IDLE:
>> +	case RSU_PROG_RSU_DONE:
>> +		return 0;
>> +	case RSU_PROG_AUTHENTICATING:
>> +	case RSU_PROG_COPYING:
>> +	case RSU_PROG_UPDATE_CANCEL:
>> +	case RSU_PROG_PROGRAM_KEY_HASH:
>> +		return -EAGAIN;
>> +	default:
>> +		return -EINVAL;
>> +	}
>> +}
>> +
>> +static enum ifpga_sec_err m10bmc_sec_prepare(struct ifpga_sec_mgr *imgr)
>> +{
>> +	struct m10bmc_sec *sec = imgr->priv;
>> +	enum ifpga_sec_err ret;
>> +
>> +	if (imgr->remaining_size > M10BMC_STAGING_SIZE)
>> +		return IFPGA_SEC_ERR_INVALID_SIZE;
>> +
>> +	ret = rsu_check_idle(sec);
>> +	if (ret)
> This needs to change, generally, to
>
> if (ret != IFPGA_SEC_ERR_NONE)
Yes, I'll make this change. There are also a couple of places in the
class driver where the same changes need to be made (for the update ops).
I'll take care of that as well.

>
>> +		return ret;
>> +
>> +	ret = rsu_update_init(sec);
>> +	if (ret)
>> +		return ret;
>> +
>> +	return rsu_prog_ready(sec);
>> +}
>> +
>> +static enum ifpga_sec_err
>> +m10bmc_sec_write_blk(struct ifpga_sec_mgr *imgr, u32 offset, u32 size)
>> +{
>> +	struct m10bmc_sec *sec = imgr->priv;
>> +	unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
>> +	u32 doorbell;
>> +	int ret;
>> +
> size check here.
The size check is done in the prepare function above at the beginning of
the update process.
>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> Wondering about the use of m10bmc_sys_read generally.
>
> If secure writing depends on new mmio region why not use the raw_read ?
>
> wondering if mixing old door bell regs with new sec regs would even work.

We were able to share code between non-secure and secure hardware by using this
approach. Instead of having a constant for the base address, the base address
was determined based on the hardware. The register offsets were the same, so the
code was generally the same for both secure and non-secure hardware - with a few
exceptions.

You are correct that the doorbell register has no application in the non-secure
hardware, but it could potentially have meaning for a future device with a
different base address for the register space.

>
>> +	if (ret) {
>> +		return IFPGA_SEC_ERR_RW_ERROR;
>> +	} else if (rsu_prog(doorbell) != RSU_PROG_READY) {
>> +		log_error_regs(sec, doorbell);
>> +		return IFPGA_SEC_ERR_HW_ERROR;
>> +	}
>> +
>> +	ret = m10bmc_raw_bulk_write(sec->m10bmc, M10BMC_STAGING_BASE + offset,
>> +				    (void *)imgr->data + offset, size / stride);
>> +
>> +	return ret ? IFPGA_SEC_ERR_RW_ERROR : IFPGA_SEC_ERR_NONE;
>> +}
>> +
>> +/*
>> + * m10bmc_sec_poll_complete() is called after handing things off to
>> + * the BMC firmware. Depending on the type of update, it could be
>> + * 30+ minutes before the BMC firmware completes the update. The
>> + * imgr->driver_unload check allows the driver to be unloaded,
>> + * but the BMC firmware will continue the update and no further
>> + * secure updates can be started for this device until the update
>> + * is complete.
>> + */
>> +static enum ifpga_sec_err m10bmc_sec_poll_complete(struct ifpga_sec_mgr *imgr)
>> +{
>> +	struct m10bmc_sec *sec = imgr->priv;
>> +	unsigned long poll_timeout;
>> +	enum ifpga_sec_err result;
>> +	u32 doorbell;
>> +	int ret;
>> +
>> +	result = rsu_send_data(sec);
>> +	if (result)
>> +		return result;
>> +
>> +	ret = rsu_check_complete(sec, &doorbell);
>> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
>> +
>> +	while (ret == -EAGAIN && !time_after(jiffies, poll_timeout)) {
>> +		msleep(RSU_COMPLETE_INTERVAL_MS);
>> +		ret = rsu_check_complete(sec, &doorbell);
>> +		if (imgr->driver_unload)
>> +			return IFPGA_SEC_ERR_CANCELED;
> Instead of checking for complete could you check the progress ?
>
> hate for it to fail with 90% done.
I'm not sure I'm understanding the question. Once the hardwarehas received the
image data and begun the update process, there is no ability to handshake with
the HW until the process is complete. All we can do is monitor the progress field,
which is what the rsu_check_complete() function does. As long as there are no
errors and the status looks OK, we continue to wait up to 40 minutes for the
process to complete.

Thanks for the comments!
- Russ

>
> Tom
>
>> +	}
>> +
>> +	if (ret == -EAGAIN) {
>> +		log_error_regs(sec, doorbell);
>> +		return IFPGA_SEC_ERR_TIMEOUT;
>> +	} else if (ret == -EIO) {
>> +		return IFPGA_SEC_ERR_RW_ERROR;
>> +	} else if (ret) {
>> +		log_error_regs(sec, doorbell);
>> +		return IFPGA_SEC_ERR_HW_ERROR;
>> +	}
>> +
>> +	return IFPGA_SEC_ERR_NONE;
>> +}
>> +
>> +static enum ifpga_sec_err m10bmc_sec_cancel(struct ifpga_sec_mgr *imgr)
>> +{
>> +	struct m10bmc_sec *sec = imgr->priv;
>> +	u32 doorbell;
>> +	int ret;
>> +
>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>> +	if (ret)
>> +		return IFPGA_SEC_ERR_RW_ERROR;
>> +
>> +	if (rsu_prog(doorbell) != RSU_PROG_READY)
>> +		return IFPGA_SEC_ERR_BUSY;
>> +
>> +	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
>> +				     DRBL_HOST_STATUS,
>> +				     FIELD_PREP(DRBL_HOST_STATUS,
>> +						HOST_STATUS_ABORT_RSU));
>> +
>> +	return ret ? IFPGA_SEC_ERR_RW_ERROR : IFPGA_SEC_ERR_NONE;
>> +}
>> +
>>  static const struct ifpga_sec_mgr_ops m10bmc_iops = {
>>  	.user_flash_count = m10bmc_user_flash_count,
>>  	.bmc_root_entry_hash = m10bmc_bmc_root_entry_hash,
>> @@ -215,6 +509,10 @@ static const struct ifpga_sec_mgr_ops m10bmc_iops = {
>>  	.bmc_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
>>  	.sr_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
>>  	.pr_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
>> +	.prepare = m10bmc_sec_prepare,
>> +	.write_blk = m10bmc_sec_write_blk,
>> +	.poll_complete = m10bmc_sec_poll_complete,
>> +	.cancel = m10bmc_sec_cancel,
>>  };
>>  
>>  static int m10bmc_secure_probe(struct platform_device *pdev)

Re: [PATCH v2 1/6] mfd: intel-m10-bmc: support for MAX10 BMC Security Engine

[Tom Rix]

On 10/8/20 4:03 PM, Russ Weight wrote:
> I just realized that I missed a few questions on my first reply.
> Please see my responses below.
>
> On 10/7/20 5:52 PM, Russ Weight wrote:
>> On 10/6/20 9:34 AM, Tom Rix wrote:
>>> On 10/2/20 6:24 PM, Russ Weight wrote:
>>>> Add macros and definitions required by the MAX10 BMC
>>>> Security Engine driver.
>>>>
>>>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>>>> ---
>>>> v2:
>>>>   - These functions and macros were previously distributed among
>>>>     the patches that needed them. They are now grouped together
>>>>     in a single patch containing changes to the Intel MAX10 BMC
>>>>     driver.
>>>>   - Added DRBL_ prefix to some definitions
>>>>   - Some address definitions were moved here from the .c files that
>>>>     use them.
>>>> ---
>>>>  include/linux/mfd/intel-m10-bmc.h | 134 ++++++++++++++++++++++++++++++
>>>>  1 file changed, 134 insertions(+)
>>>>
>>>> diff --git a/include/linux/mfd/intel-m10-bmc.h b/include/linux/mfd/intel-m10-bmc.h
>>>> index c8ef2f1654a4..880f907302eb 100644
>>>> --- a/include/linux/mfd/intel-m10-bmc.h
>>>> +++ b/include/linux/mfd/intel-m10-bmc.h
>>>> @@ -13,6 +13,9 @@
>>>>  #define M10BMC_SYS_BASE			0x300800
>>>>  #define M10BMC_MEM_END			0x200000fc
>>>>  
>>>> +#define M10BMC_STAGING_BASE		0x18000000
>>>> +#define M10BMC_STAGING_SIZE		0x3800000
>>> The staging size is not used, please use it in m10bmc_sec_write_blk to
>>>
>>> check the input parameter 'size'
>> It is used to check the input size in the prepare function:
>> m10bmc_sec_prepare()
>>
>>         if (smgr->remaining_size > M10BMC_STAGING_SIZE)
>>                 return FPGA_SEC_ERR_INVALID_SIZE;
ok, i missing this.
>>
>> - Russ
>>
>>>> +
>>>>  /* Register offset of system registers */
>>>>  #define NIOS2_FW_VERSION		0x0
>>>>  #define M10BMC_TEST_REG			0x3c
>>>> @@ -21,6 +24,88 @@
>>>>  #define M10BMC_VER_PCB_INFO_MSK		GENMASK(31, 24)
>>>>  #define M10BMC_VER_LEGACY_INVALID	0xffffffff
>>>>  
>>>> +/* Secure update doorbell register, in system register region */
>>>> +#define M10BMC_DOORBELL			0x400
>>>> +
>>>> +/* Authorization Result register, in system register region */
>>>> +#define M10BMC_AUTH_RESULT		0x404
>>>> +
>>>> +/* Doorbell register fields */
>>>> +#define DRBL_RSU_REQUEST		BIT(0)
>>>> +#define DRBL_RSU_PROGRESS		GENMASK(7, 4)
>>>> +#define DRBL_HOST_STATUS		GENMASK(11, 8)
>>>> +#define DRBL_RSU_STATUS			GENMASK(23, 16)
>>>> +#define DRBL_PKVL_EEPROM_LOAD_SEC	BIT(24)
>>>> +#define DRBL_PKVL1_POLL_EN		BIT(25)
>>>> +#define DRBL_PKVL2_POLL_EN		BIT(26)
>>> PKVL seems like it would be n3000 specific.
>>>
>>> For this and similar it may be good to add a _N3000_ in the name.
> I'm hoping Yilun and Hao might chime in here. We have substituted PKVL
> for Retimer in some places in the code.
>>>> +#define DRBL_CONFIG_SEL			BIT(28)
>>>> +#define DRBL_REBOOT_REQ			BIT(29)
>>>> +#define DRBL_REBOOT_DISABLED		BIT(30)
>>>> +
>>>> +/* Progress states */
>>>> +#define RSU_PROG_IDLE			0x0
>>>> +#define RSU_PROG_PREPARE		0x1
>>>> +#define RSU_PROG_READY			0x3
>>>> +#define RSU_PROG_AUTHENTICATING		0x4
>>>> +#define RSU_PROG_COPYING		0x5
>>>> +#define RSU_PROG_UPDATE_CANCEL		0x6
>>>> +#define RSU_PROG_PROGRAM_KEY_HASH	0x7
>>>> +#define RSU_PROG_RSU_DONE		0x8
>>>> +#define RSU_PROG_PKVL_PROM_DONE		0x9
>>>> +
>>>> +/* Device and error states */
>>>> +#define RSU_STAT_NORMAL			0x0
>>>> +#define RSU_STAT_TIMEOUT		0x1
>>>> +#define RSU_STAT_AUTH_FAIL		0x2
>>>> +#define RSU_STAT_COPY_FAIL		0x3
>>>> +#define RSU_STAT_FATAL			0x4
>>>> +#define RSU_STAT_PKVL_REJECT		0x5
>>>> +#define RSU_STAT_NON_INC		0x6
>>>> +#define RSU_STAT_ERASE_FAIL		0x7
>>>> +#define RSU_STAT_WEAROUT		0x8
>>>> +#define RSU_STAT_NIOS_OK		0x80
>>>> +#define RSU_STAT_USER_OK		0x81
>>>> +#define RSU_STAT_FACTORY_OK		0x82
>>>> +#define RSU_STAT_USER_FAIL		0x83
>>>> +#define RSU_STAT_FACTORY_FAIL		0x84
>>>> +#define RSU_STAT_NIOS_FLASH_ERR		0x85
>>>> +#define RSU_STAT_FPGA_FLASH_ERR		0x86
>>>> +
>>>> +#define HOST_STATUS_IDLE		0x0
>>>> +#define HOST_STATUS_WRITE_DONE		0x1
>>>> +#define HOST_STATUS_ABORT_RSU		0x2
>>>> +
>>>> +#define rsu_prog(doorbell)	FIELD_GET(DRBL_RSU_PROGRESS, doorbell)
>>>> +#define rsu_stat(doorbell)	FIELD_GET(DRBL_RSU_STATUS, doorbell)
>>>> +
>>>> +/* interval 100ms and timeout 5s */
>>>> +#define NIOS_HANDSHAKE_INTERVAL_US	(100 * 1000)
>>>> +#define NIOS_HANDSHAKE_TIMEOUT_US	(5 * 1000 * 1000)
>>>> +
>>>> +/* RSU PREP Timeout (2 minutes) to erase flash staging area */
>>>> +#define RSU_PREP_INTERVAL_MS		100
>>>> +#define RSU_PREP_TIMEOUT_MS		(2 * 60 * 1000)
>>>> +
>>>> +/* RSU Complete Timeout (40 minutes) for full flash update */
>>>> +#define RSU_COMPLETE_INTERVAL_MS	1000
>>>> +#define RSU_COMPLETE_TIMEOUT_MS		(40 * 60 * 1000)
>>> minutes is an unusual timeout unit.
>>>
>>> It may be worthwhile to spell out MINUTES to avoid confusing with micro seconds.
> The _MS at the end of the constants means milliseconds. That is pretty
> standard, isn't it? Although the wait is 40 minutes, the constant is a
> millisecond count that corresponds to 40 minutes. I expanded the definition
> to make things more clear: 40 (minutes) * 60 (seconds) * 1000 milliseconds (40 minutes expressed in milliseconds).

sorry, my fault, i read this to fast.

Tom

>>> Tom
>>>
>>>> +
>>>> +/* Addresses for security related data in FLASH */
>>>> +#define BMC_REH_ADDR	0x17ffc004
>>>> +#define BMC_PROG_ADDR	0x17ffc000
>>>> +#define BMC_PROG_MAGIC	0x5746
>>>> +
>>>> +#define SR_REH_ADDR	0x17ffd004
>>>> +#define SR_PROG_ADDR	0x17ffd000
>>>> +#define SR_PROG_MAGIC	0x5253
>>>> +
>>>> +#define PR_REH_ADDR	0x17ffe004
>>>> +#define PR_PROG_ADDR	0x17ffe000
>>>> +#define PR_PROG_MAGIC	0x5250
>>>> +
>>>> +/* Address of inverted bit vector containing user the image FLASH count */
>>>> +#define USER_FLASH_COUNT 0x17ffb000
>>>> +
>>>>  /**
>>>>   * struct intel_m10bmc - Intel MAX 10 BMC parent driver data structure
>>>>   * @dev: this device
>>>> @@ -35,7 +120,11 @@ struct intel_m10bmc {
>>>>   * register access helper functions.
>>>>   *
>>>>   * m10bmc_raw_read - read m10bmc register per addr
>>>> + * m10bmc_raw_bulk_read - bulk read max10 registers per addr
>>>> + * m10bmc_raw_bulk_write - bulk write max10 registers per addr
>>>> + * m10bmc_raw_update_bits - update max10 register per addr
>>>>   * m10bmc_sys_read - read m10bmc system register per offset
>>>> + * m10bmc_sys_update_bits - update max10 system register per offset
>>>>   */
>>>>  static inline int
>>>>  m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>>>> @@ -51,6 +140,48 @@ m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>>>>  	return ret;
>>>>  }
>>>>  
>>>> +static inline int
>>>> +m10bmc_raw_bulk_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>>>> +		     void *val, size_t cnt)
>>>> +{
>>>> +	int ret;
>>>> +
>>>> +	ret = regmap_bulk_read(m10bmc->regmap, addr, val, cnt);
>>>> +	if (ret)
>>>> +		dev_err(m10bmc->dev, "fail to read raw reg %x cnt %zx: %d\n",
>>>> +			addr, cnt, ret);
>>>> +
>>>> +	return ret;
>>>> +}
>>>> +
>>>> +static inline int
>>>> +m10bmc_raw_bulk_write(struct intel_m10bmc *m10bmc, unsigned int addr,
>>>> +		      void *val, size_t cnt)
>>>> +{
>>>> +	int ret;
>>>> +
>>>> +	ret = regmap_bulk_write(m10bmc->regmap, addr, val, cnt);
>>>> +	if (ret)
>>>> +		dev_err(m10bmc->dev, "fail to write raw reg %x cnt %zx: %d\n",
>>>> +			addr, cnt, ret);
>>>> +
>>>> +	return ret;
>>>> +}
>>>> +
>>>> +static inline int
>>>> +m10bmc_raw_update_bits(struct intel_m10bmc *m10bmc, unsigned int addr,
>>>> +		       unsigned int msk, unsigned int val)
>>>> +{
>>>> +	int ret;
>>>> +
>>>> +	ret = regmap_update_bits(m10bmc->regmap, addr, msk, val);
>>>> +	if (ret)
>>>> +		dev_err(m10bmc->dev, "fail to update raw reg %x: %d\n",
>>>> +			addr, ret);
>>>> +
>>>> +	return ret;
>>>> +}
>>>> +
>>>>  /*
>>>>   * The base of the system registers could be configured by HW developers, and
>>>>   * in HW SPEC, the base is not added to the addresses of the system registers.
>>>> @@ -62,4 +193,7 @@ m10bmc_raw_read(struct intel_m10bmc *m10bmc, unsigned int addr,
>>>>  #define m10bmc_sys_read(m10bmc, offset, val) \
>>>>  	m10bmc_raw_read(m10bmc, M10BMC_SYS_BASE + (offset), val)
>>>>  
>>>> +#define m10bmc_sys_update_bits(m10bmc, offset, msk, val) \
>>>> +	m10bmc_raw_update_bits(m10bmc, M10BMC_SYS_BASE + (offset), msk, val)
>>>> +
>>>>  #endif /* __MFD_INTEL_M10_BMC_H */

Re: [PATCH v2 5/6] fpga: m10bmc-sec: add max10 secure update functions

[Tom Rix]

On 10/8/20 4:06 PM, Russ Weight wrote:
>
> On 10/6/20 12:08 PM, Tom Rix wrote:
>> On 10/2/20 6:24 PM, Russ Weight wrote:
>>> Extend the MAX10 BMC Security Engine driver to include
>>> the functions that enable secure updates of BMC images,
>>> FPGA images, etc.
>>>
>>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>>> ---
>>> v2:
>>>   - Reworked the rsu_start_done() function to make it more readable
>>>   - Reworked while-loop condition/content in rsu_prog_ready()
>>>   - Minor code cleanup per review comments
>>>   - Added a comment to the m10bmc_sec_poll_complete() function to
>>>     explain the context (could take 30+ minutes to complete).
>>>   - Added m10bmc_ prefix to functions in m10bmc_iops structure
>>>   - Moved MAX10 BMC address and function definitions to a separate
>>>     patch.
>>> ---
>>>  drivers/fpga/intel-m10-bmc-secure.c | 298 ++++++++++++++++++++++++++++
>>>  1 file changed, 298 insertions(+)
>>>
>>> diff --git a/drivers/fpga/intel-m10-bmc-secure.c b/drivers/fpga/intel-m10-bmc-secure.c
>>> index 5bb45499b332..a9617c5b3845 100644
>>> --- a/drivers/fpga/intel-m10-bmc-secure.c
>>> +++ b/drivers/fpga/intel-m10-bmc-secure.c
>>> @@ -201,6 +201,300 @@ static int m10bmc_pr_canceled_csks(struct ifpga_sec_mgr *imgr,
>>>  			      csk_map, nbits);
>>>  }
>>>  
>>> +static void log_error_regs(struct m10bmc_sec *sec, u32 doorbell)
>>> +{
>>> +	u32 auth_result;
>>> +
>>> +	dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
>>> +
>>> +	if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
>>> +		dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
>>> +}
>>> +
>>> +static enum ifpga_sec_err rsu_check_idle(struct m10bmc_sec *sec)
>>> +{
>>> +	u32 doorbell;
>>> +	int ret;
>>> +
>>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>>> +	if (ret)
>>> +		return IFPGA_SEC_ERR_RW_ERROR;
>>> +
>>> +	if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
>>> +	    rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
>>> +		log_error_regs(sec, doorbell);
>>> +		return IFPGA_SEC_ERR_BUSY;
>>> +	}
>>> +
>>> +	return IFPGA_SEC_ERR_NONE;
>>> +}
>>> +
>>> +static inline bool rsu_start_done(u32 doorbell)
>>> +{
>>> +	u32 status, progress;
>>> +
>>> +	if (doorbell & DRBL_RSU_REQUEST)
>>> +		return false;
>>> +
>>> +	status = rsu_stat(doorbell);
>>> +	if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
>>> +		return true;
>>> +
>>> +	progress = rsu_prog(doorbell);
>>> +	if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
>>> +		return true;
>>> +
>>> +	return false;
>>> +}
>>> +
>>> +static enum ifpga_sec_err rsu_update_init(struct m10bmc_sec *sec)
>>> +{
>>> +	u32 doorbell, status;
>>> +	int ret;
>>> +
>>> +	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
>>> +				     DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
>>> +				     DRBL_RSU_REQUEST |
>>> +				     FIELD_PREP(DRBL_HOST_STATUS,
>>> +						HOST_STATUS_IDLE));
>>> +	if (ret)
>>> +		return IFPGA_SEC_ERR_RW_ERROR;
>>> +
>>> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
>>> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
>>> +				       doorbell,
>>> +				       rsu_start_done(doorbell),
>>> +				       NIOS_HANDSHAKE_INTERVAL_US,
>>> +				       NIOS_HANDSHAKE_TIMEOUT_US);
>>> +
>>> +	if (ret == -ETIMEDOUT) {
>>> +		log_error_regs(sec, doorbell);
>>> +		return IFPGA_SEC_ERR_TIMEOUT;
>>> +	} else if (ret) {
>>> +		return IFPGA_SEC_ERR_RW_ERROR;
>>> +	}
>>> +
>>> +	status = rsu_stat(doorbell);
>>> +	if (status == RSU_STAT_WEAROUT) {
>>> +		dev_warn(sec->dev, "Excessive flash update count detected\n");
>> Device is permanently failing, dev_err or higher is more appropriate than dev_warn.
>>
>> warn once to limit noisy logs.
> This is not a permanent/hard failure. When the flash count (for the staging area)
> exceeds 1000, a 30 second delay is imposed on subsequent flashes. When the count
> hits 2000, the delay goes to 60 seconds.
>
> Also, flash events shouldn't that often, so I don't think they are going to create
> a lot of noise in the logs.
>
> I think this is OK as is?

If the extra, worse case time is accounted for in the current timeout, yes this is fine.

>
>>> +		return IFPGA_SEC_ERR_WEAROUT;
>>> +	} else if (status == RSU_STAT_ERASE_FAIL) {
>>> +		log_error_regs(sec, doorbell);
>>> +		return IFPGA_SEC_ERR_HW_ERROR;
>>> +	}
>>> +
>>> +	return IFPGA_SEC_ERR_NONE;
>>> +}
>>> +
>>> +static enum ifpga_sec_err (struct m10bmc_sec *sec)
>>> +{
>>> +	unsigned long poll_timeout;
>>> +	u32 doorbell, progress;
>>> +	int ret;
>>> +
>>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>>> +	if (ret)
>>> +		return IFPGA_SEC_ERR_RW_ERROR;
>>> +
>>> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
>>> +	while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
>>> +		msleep(RSU_PREP_INTERVAL_MS);
>>> +		if (time_after(jiffies, poll_timeout))
>>> +			break;
>>> +
>>> +		ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>>> +		if (ret)
>>> +			return IFPGA_SEC_ERR_RW_ERROR;
>>> +	}
>>> +
>>> +	progress = rsu_prog(doorbell);
>>> +	if (progress == RSU_PROG_PREPARE) {
>>> +		log_error_regs(sec, doorbell);
>>> +		return IFPGA_SEC_ERR_TIMEOUT;
>>> +	} else if (progress != RSU_PROG_READY) {
>>> +		log_error_regs(sec, doorbell);
>>> +		return IFPGA_SEC_ERR_HW_ERROR;
>>> +	}
>>> +
>>> +	return IFPGA_SEC_ERR_NONE;
>>> +}
>>> +
>>> +static enum ifpga_sec_err rsu_send_data(struct m10bmc_sec *sec)
>>> +{
>>> +	u32 doorbell;
>>> +	int ret;
>>> +
>>> +	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
>>> +				     DRBL_HOST_STATUS,
>>> +				     FIELD_PREP(DRBL_HOST_STATUS,
>>> +						HOST_STATUS_WRITE_DONE));
>>> +	if (ret)
>>> +		return IFPGA_SEC_ERR_RW_ERROR;
>>> +
>>> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
>>> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
>>> +				       doorbell,
>>> +				       rsu_prog(doorbell) != RSU_PROG_READY,
>>> +				       NIOS_HANDSHAKE_INTERVAL_US,
>>> +				       NIOS_HANDSHAKE_TIMEOUT_US);
>>> +
>>> +	if (ret == -ETIMEDOUT) {
>>> +		log_error_regs(sec, doorbell);
>>> +		return IFPGA_SEC_ERR_TIMEOUT;
>>> +	} else if (ret) {
>>> +		return IFPGA_SEC_ERR_RW_ERROR;
>>> +	}
>>> +
>>> +	switch (rsu_stat(doorbell)) {
>>> +	case RSU_STAT_NORMAL:
>>> +	case RSU_STAT_NIOS_OK:
>>> +	case RSU_STAT_USER_OK:
>>> +	case RSU_STAT_FACTORY_OK:
>>> +		break;
>>> +	default:
>>> +		log_error_regs(sec, doorbell);
>>> +		return IFPGA_SEC_ERR_HW_ERROR;
>>> +	}
>> This and similar below..
>>
>> switch can be converted to
>>
>> if (!rsu_stat(doorbell) & (RSU_STAT_NORMAL | ... ))
>>
>>   fail
> These are not bit-flags. The rsu_stat() macro extracts an 8-bit field from
> the doorbell register. The current supported values run from 0 to 9.
> To do this with if-statements would require something like this:
>
> status = rsu_stat(doorbell);
>
> if ((status != RSU_STAT_NORMAL) && (status != RSU_STAT_NIOS_OK) && ... To me, the switch statement seems cleaner, but I'm willing to change it if you think the if statements are better.
Ah. ok fine as-is
>>> +
>>> +	return IFPGA_SEC_ERR_NONE;
>>> +}
>>> +
>>> +static int rsu_check_complete(struct m10bmc_sec *sec, u32 *doorbell)
>>> +{
>>> +	if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
>>> +		return -EIO;
>>> +
>>> +	switch (rsu_stat(*doorbell)) {
>>> +	case RSU_STAT_NORMAL:
>>> +	case RSU_STAT_NIOS_OK:
>>> +	case RSU_STAT_USER_OK:
>>> +	case RSU_STAT_FACTORY_OK:
>>> +	case RSU_STAT_WEAROUT:
>>> +		break;
>>> +	default:
>>> +		return -EINVAL;
>>> +	}
>>> +
>>> +	switch (rsu_prog(*doorbell)) {
>>> +	case RSU_PROG_IDLE:
>>> +	case RSU_PROG_RSU_DONE:
>>> +		return 0;
>>> +	case RSU_PROG_AUTHENTICATING:
>>> +	case RSU_PROG_COPYING:
>>> +	case RSU_PROG_UPDATE_CANCEL:
>>> +	case RSU_PROG_PROGRAM_KEY_HASH:
>>> +		return -EAGAIN;
>>> +	default:
>>> +		return -EINVAL;
>>> +	}
>>> +}
>>> +
>>> +static enum ifpga_sec_err m10bmc_sec_prepare(struct ifpga_sec_mgr *imgr)
>>> +{
>>> +	struct m10bmc_sec *sec = imgr->priv;
>>> +	enum ifpga_sec_err ret;
>>> +
>>> +	if (imgr->remaining_size > M10BMC_STAGING_SIZE)
>>> +		return IFPGA_SEC_ERR_INVALID_SIZE;
>>> +
>>> +	ret = rsu_check_idle(sec);
>>> +	if (ret)
>> This needs to change, generally, to
>>
>> if (ret != IFPGA_SEC_ERR_NONE)
> Yes, I'll make this change. There are also a couple of places in the
> class driver where the same changes need to be made (for the update ops).
> I'll take care of that as well.
>
>>> +		return ret;
>>> +
>>> +	ret = rsu_update_init(sec);
>>> +	if (ret)
>>> +		return ret;
>>> +
>>> +	return rsu_prog_ready(sec);
>>> +}
>>> +
>>> +static enum ifpga_sec_err
>>> +m10bmc_sec_write_blk(struct ifpga_sec_mgr *imgr, u32 offset, u32 size)
>>> +{
>>> +	struct m10bmc_sec *sec = imgr->priv;
>>> +	unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
>>> +	u32 doorbell;
>>> +	int ret;
>>> +
>> size check here.
> The size check is done in the prepare function above at the beginning of
> the update process.
ok
>>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>> Wondering about the use of m10bmc_sys_read generally.
>>
>> If secure writing depends on new mmio region why not use the raw_read ?
>>
>> wondering if mixing old door bell regs with new sec regs would even work.
> We were able to share code between non-secure and secure hardware by using this
> approach. Instead of having a constant for the base address, the base address
> was determined based on the hardware. The register offsets were the same, so the
> code was generally the same for both secure and non-secure hardware - with a few
> exceptions.
>
> You are correct that the doorbell register has no application in the non-secure
> hardware, but it could potentially have meaning for a future device with a
> different base address for the register space.
>
>>> +	if (ret) {
>>> +		return IFPGA_SEC_ERR_RW_ERROR;
>>> +	} else if (rsu_prog(doorbell) != RSU_PROG_READY) {
>>> +		log_error_regs(sec, doorbell);
>>> +		return IFPGA_SEC_ERR_HW_ERROR;
>>> +	}
>>> +
>>> +	ret = m10bmc_raw_bulk_write(sec->m10bmc, M10BMC_STAGING_BASE + offset,
>>> +				    (void *)imgr->data + offset, size / stride);
>>> +
>>> +	return ret ? IFPGA_SEC_ERR_RW_ERROR : IFPGA_SEC_ERR_NONE;
>>> +}
>>> +
>>> +/*
>>> + * m10bmc_sec_poll_complete() is called after handing things off to
>>> + * the BMC firmware. Depending on the type of update, it could be
>>> + * 30+ minutes before the BMC firmware completes the update. The
>>> + * imgr->driver_unload check allows the driver to be unloaded,
>>> + * but the BMC firmware will continue the update and no further
>>> + * secure updates can be started for this device until the update
>>> + * is complete.
>>> + */
>>> +static enum ifpga_sec_err m10bmc_sec_poll_complete(struct ifpga_sec_mgr *imgr)
>>> +{
>>> +	struct m10bmc_sec *sec = imgr->priv;
>>> +	unsigned long poll_timeout;
>>> +	enum ifpga_sec_err result;
>>> +	u32 doorbell;
>>> +	int ret;
>>> +
>>> +	result = rsu_send_data(sec);
>>> +	if (result)
>>> +		return result;
>>> +
>>> +	ret = rsu_check_complete(sec, &doorbell);
>>> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
>>> +
>>> +	while (ret == -EAGAIN && !time_after(jiffies, poll_timeout)) {
>>> +		msleep(RSU_COMPLETE_INTERVAL_MS);
>>> +		ret = rsu_check_complete(sec, &doorbell);
>>> +		if (imgr->driver_unload)
>>> +			return IFPGA_SEC_ERR_CANCELED;
>> Instead of checking for complete could you check the progress ?
>>
>> hate for it to fail with 90% done.
> I'm not sure I'm understanding the question. Once the hardwarehas received the
> image data and begun the update process, there is no ability to handshake with
> the HW until the process is complete. All we can do is monitor the progress field,
> which is what the rsu_check_complete() function does. As long as there are no
> errors and the status looks OK, we continue to wait up to 40 minutes for the
> process to complete.
>
> Thanks for the comments!

ok, update is a reallly long atomic.

Tom

> - Russ
>
>> Tom
>>
>>> +	}
>>> +
>>> +	if (ret == -EAGAIN) {
>>> +		log_error_regs(sec, doorbell);
>>> +		return IFPGA_SEC_ERR_TIMEOUT;
>>> +	} else if (ret == -EIO) {
>>> +		return IFPGA_SEC_ERR_RW_ERROR;
>>> +	} else if (ret) {
>>> +		log_error_regs(sec, doorbell);
>>> +		return IFPGA_SEC_ERR_HW_ERROR;
>>> +	}
>>> +
>>> +	return IFPGA_SEC_ERR_NONE;
>>> +}
>>> +
>>> +static enum ifpga_sec_err m10bmc_sec_cancel(struct ifpga_sec_mgr *imgr)
>>> +{
>>> +	struct m10bmc_sec *sec = imgr->priv;
>>> +	u32 doorbell;
>>> +	int ret;
>>> +
>>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>>> +	if (ret)
>>> +		return IFPGA_SEC_ERR_RW_ERROR;
>>> +
>>> +	if (rsu_prog(doorbell) != RSU_PROG_READY)
>>> +		return IFPGA_SEC_ERR_BUSY;
>>> +
>>> +	ret = m10bmc_sys_update_bits(sec->m10bmc, M10BMC_DOORBELL,
>>> +				     DRBL_HOST_STATUS,
>>> +				     FIELD_PREP(DRBL_HOST_STATUS,
>>> +						HOST_STATUS_ABORT_RSU));
>>> +
>>> +	return ret ? IFPGA_SEC_ERR_RW_ERROR : IFPGA_SEC_ERR_NONE;
>>> +}
>>> +
>>>  static const struct ifpga_sec_mgr_ops m10bmc_iops = {
>>>  	.user_flash_count = m10bmc_user_flash_count,
>>>  	.bmc_root_entry_hash = m10bmc_bmc_root_entry_hash,
>>> @@ -215,6 +509,10 @@ static const struct ifpga_sec_mgr_ops m10bmc_iops = {
>>>  	.bmc_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
>>>  	.sr_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
>>>  	.pr_canceled_csk_nbits = m10bmc_csk_cancel_nbits,
>>> +	.prepare = m10bmc_sec_prepare,
>>> +	.write_blk = m10bmc_sec_write_blk,
>>> +	.poll_complete = m10bmc_sec_poll_complete,
>>> +	.cancel = m10bmc_sec_cancel,
>>>  };
>>>  
>>>  static int m10bmc_secure_probe(struct platform_device *pdev)